[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN and NAT will not work at the same time with NG FP1
Kevin, I want to make sure I understand. When you ran your tests, did you put the 12.11.11.0/27 network in FW-1's encryption domain? Thanx --- "Palmer, Kevin" <[email protected]> wrote: > FW-1 Mailing List, > > I have run into a configuration problem connecting > Check Point VPN-1 NG FP1 to other vendor's IPSec VPN > gateways when NAT is configured on objects in CP's > encryption domain. The following example should > help. Some of the details have been omitted to > create a more concise example. > > VPN Host > (FreeS/WAN, LinkSYS BEFVP41, VPN-1*) > 12.10.10.10/24 > | > | > Internet > | > | > VPN-1 Gateway > 12.11.11.98/27 > | > | > Encryption Domain behind firewall > 172.16.192.1/18 > | > | > W2K Server > 172.16.192.10/18 > 12.11.11.110/27 Static NAT > | > | > W2K Client > 172.16.192.11/18 > 12.11.11.111/27 Hide NAT > > * VPN-1 allows you to include the external subnet > 12.11.11.0/27 in the encryption domain. Some > vendor's IPSec VPN host and gateway products do not > allow you to configure 12.11.11.0/27 as an > encryption domain. > > Testing > > Ping From Ping To NAT Result > 12.10.10.10 172.16.192.10 YES OK > 12.10.10.10 172.16.192.11 YES OK > 12.10.10.10 172.16.192.10 NO OK > 12.10.10.10 172.16.192.11 NO OK > 172.16.192.10 12.10.10.10 YES FAIL > 172.16.192.11 12.10.10.10 YES FAIL > 172.16.192.10 12.10.10.10 NO OK > 172.16.192.11 12.10.10.10 NO OK > > During testing I discovered that the VPN works in > both directions when automatic NAT on the network > and/or workstation object(s) is disabled. The > problem seems to be that the VPN Host sees the > incoming encrypted packet from 12.11.11.110 or > 12.11.11.111 instead of from 172.16.192.10, > 172.16.192.11, or even 12.11.11.98. When NAT is > disabled, the VPN works. What I want to know is "How > do I disable NAT for connections with a destination > of 12.10.10.10?" > > Before you answer, I have setup the following NAT > rules before the automatically created NAT rules. > The extra NAT rules do not appear to be doing > anything. > > Original Packet > Translated Packet > No. Source Destination Source > Destination > 1 172.16.192.10/18 12.10.10.10 Original > Original > 2 12.10.10.10 172.16.192.10/18 Original > Original > 3 Start of Automatic NAT rules ... > > NG Specific Configuration Info > The following global property settings are > selected/enabled. > "Automatic rules intersection" > "Perform destination translation on the client side" > "Automatic ARP Configuration" > NG Objects.C modification > properties nat_dst_client_side_manual true > > The configuration illustrated above should be fairly > popular. That means there is already someone out > there with an answer or a number of there network > engineers trying to figure this out as well. > > Thank You for your interest and help with this > issue. > > > Kevin Palmer > Network Engineer - MCSE+I, CCSE, CCNA > > > __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|