[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails
Actually, NG and connect mode was created to solve that problem. SecuClient creates a virtual adapter on the client side with the specified address. Otherwise, in the Pool configuration, the NAT is taking place on the firewall and the firewall still deals with the routing issue of seeing the local network as opposed to passing it out through the tunnel. Cheers, CryptoTech ----- Original Message ----- From: "Gorton Dean" <[email protected]> To: "'Mailing list for discussion of Firewall-1'" <[email protected]> Cc: <[email protected]> Sent: Tuesday, February 26, 2002 4:48 AM Subject: RE: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails > Yes, The Client side network is also used on our internal LAN. Is this the > problem? I thought the IP pool for SecuRemote NAT would allow this. > > > > > -----Original Message----- > From: Cryptotech [mailto:[email protected]] > Sent: 25 February 2002 23:49 > To: [email protected] > Subject: Re: [FW-1] IP POOL for SecuRemote connection with client side > NAT Fails > > > Is the network at the client side the same as the one "inside" the firewall? > > ----- Original Message ----- > From: "Gorton Dean" <[email protected]> > To: <[email protected]> > Sent: Monday, February 25, 2002 1:50 PM > Subject: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails > > > > I've set-up an IP NAT pool for SecuRemote connections coming into my > > company. This is working fine for most users and the log viewer shows the > > incoming data being decrypted and NAT'ed. I've verified the NAT is taking > > place using a packet sniffer on my internal network. > > > > HOWEVER, If I set this up for a remote ADSL user who's ISP is providing > them > > with a NAT'ed IP address, it fails. In the log viewer I still see the > > incoming data being decrypted and then NAT'ed using my predefined IP NAT > > pool of addresses for incoming SecuRemote connections. > > > > BUT, If I put a packet sniffer on my internal network now I can see that > the > > data has the original source IP address and has not been NAT'ed by my > > firewall at all! IT IS LYING. > > > > My question, Why is the FW-1 NAT for SecuRemote connection only working > for > > machines with a legal address who don't need it and not for users sitting > > behind a client side NAT'ed router? > > > > I'm running CPFW-1 4.1 sp5 on a Solaris platform and SecuRemote 4.1 sp5 > > build 4199. SecuRemote is configured to use IKE encryption and is forcing > > UDP encapsulation on both machines as per phoneboy article > > "http://www.phoneboy.com/docs/secureclient-nat.pdf" > > > > Any help will be greatly appreciated, > > > > Dean Gorton > > Senior Network Analyst > > > > * +44 20 7843 4775 > > * [email protected] > > > > * Macmillan Limited, > > The Macmillan Building > > 4 Crinan Street > > London, > > N1 9XW, > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|