Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] IP POOL for SecuRemote connection with client side NAT Fails

To: [email protected]
Subject: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails
From: Gorton Dean <[email protected]>
Date: Mon, 25 Feb 2002 18:50:22 -0000
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I've set-up an IP NAT pool for SecuRemote connections coming into my
company. This is working fine for most users and the log viewer shows the
incoming data being decrypted and NAT'ed. I've verified the NAT is taking
place using a packet sniffer on my internal network.

HOWEVER, If I set this up for a remote ADSL user who's ISP is providing them
with a NAT'ed IP address, it fails. In the log viewer I still see the
incoming data being decrypted and then NAT'ed using my predefined IP NAT
pool of addresses for incoming SecuRemote connections.

BUT, If I put a packet sniffer on my internal network now I can see that the
data has the original source IP address and has not been NAT'ed by my
firewall at all! IT IS LYING.

My question, Why is the FW-1 NAT for SecuRemote connection only working for
machines with a legal address who don't need it and not for users sitting
behind a client side NAT'ed router?

I'm running CPFW-1 4.1 sp5 on a Solaris platform and SecuRemote 4.1 sp5
build 4199. SecuRemote is configured to use IKE encryption and is  forcing
UDP encapsulation on both machines as per phoneboy article
"http://www.phoneboy.com/docs/secureclient-nat.pdf";

Any help will be greatly appreciated,

        Dean Gorton
        Senior Network Analyst

        *       +44 20 7843 4775
        *       [email protected]

        *       Macmillan Limited,
                The Macmillan Building
                4 Crinan Street
                London,
                N1 9XW,

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails
  - From: Cryptotech <[email protected]>

Prev by Date: [FW-1] CP Exams
Next by Date: [FW-1] problems with DMZ and NAT
Previous by thread: Re: [FW-1] CP Exams
Next by thread: Re: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails
Index(es):
- Date
- Thread