Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails

To: [email protected]
Subject: Re: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails
From: CryptoTech <[email protected]>
Date: Tue, 26 Feb 2002 09:41:14 -0500
Comments: To: Gorton Dean <[email protected]>
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Actually, NG and connect mode was created to solve that problem.

SecuClient creates a virtual adapter on the client side with the specified
address.  Otherwise, in the Pool configuration, the NAT is taking place on
the firewall and the firewall still deals with the routing issue of seeing
the local network as opposed to passing it out through the tunnel.

Cheers,
CryptoTech



----- Original Message -----
From: "Gorton Dean" <[email protected]>
To: "'Mailing list for discussion of Firewall-1'"
<[email protected]>
Cc: <[email protected]>
Sent: Tuesday, February 26, 2002 4:48 AM
Subject: RE: [FW-1] IP POOL for SecuRemote connection with client side NAT
Fails


> Yes, The Client side network is also used on our internal LAN. Is this the
> problem? I thought the IP pool for SecuRemote NAT would allow this.
>
>
>
>
> -----Original Message-----
> From: Cryptotech [mailto:[email protected]]
> Sent: 25 February 2002 23:49
> To: [email protected]
> Subject: Re: [FW-1] IP POOL for SecuRemote connection with client side
> NAT Fails
>
>
> Is the network at the client side the same as the one "inside" the
firewall?
>
> ----- Original Message -----
> From: "Gorton Dean" <[email protected]>
> To: <[email protected]>
> Sent: Monday, February 25, 2002 1:50 PM
> Subject: [FW-1] IP POOL for SecuRemote connection with client side NAT
Fails
>
>
> > I've set-up an IP NAT pool for SecuRemote connections coming into my
> > company. This is working fine for most users and the log viewer shows
the
> > incoming data being decrypted and NAT'ed. I've verified the NAT is
taking
> > place using a packet sniffer on my internal network.
> >
> > HOWEVER, If I set this up for a remote ADSL user who's ISP is providing
> them
> > with a NAT'ed IP address, it fails. In the log viewer I still see the
> > incoming data being decrypted and then NAT'ed using my predefined IP NAT
> > pool of addresses for incoming SecuRemote connections.
> >
> > BUT, If I put a packet sniffer on my internal network now I can see that
> the
> > data has the original source IP address and has not been NAT'ed by my
> > firewall at all! IT IS LYING.
> >
> > My question, Why is the FW-1 NAT for SecuRemote connection only working
> for
> > machines with a legal address who don't need it and not for users
sitting
> > behind a client side NAT'ed router?
> >
> > I'm running CPFW-1 4.1 sp5 on a Solaris platform and SecuRemote 4.1 sp5
> > build 4199. SecuRemote is configured to use IKE encryption and is
forcing
> > UDP encapsulation on both machines as per phoneboy article
> > "http://www.phoneboy.com/docs/secureclient-nat.pdf";
> >
> > Any help will be greatly appreciated,
> >
> >         Dean Gorton
> >         Senior Network Analyst
> >
> >         *       +44 20 7843 4775
> >         *       [email protected]
> >
> >         *       Macmillan Limited,
> >                 The Macmillan Building
> >                 4 Crinan Street
> >                 London,
> >                 N1 9XW,
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails
  - From: Gorton Dean <[email protected]>

Prev by Date: [FW-1] AW: [FW-1] AW: [FW-1] free FTP-Proxy for Solaris 8 ?
Next by Date: Re: [FW-1] questions about log
Previous by thread: Re: [FW-1] IP POOL for SecuRemote connection with client side NAT Fails
Next by thread: [FW-1] problems with DMZ and NAT
Index(es):
- Date
- Thread