[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] General Question on SecuRemote and SecureClient
In my experience this DOES cause a problem. IP NAT pool will not be able to distinguish between home user 1 and home user 2 and will assume they are the same host. Consequently it will assign the same IP NAT pool address to each host. I tested this specifically. Looking at the FW log you can see that both get the same IP NAT pool address. I confirmed by doing an FTP to an internal server and viewed the FTP connections log and this server saw the two distinct hosts as the SAME IP address. You are playing with fire at this point. Applications do seem to work ok. However, at the point where both users happen to choose the same TCP source port I think it will break. The only solution that I know of is to dole out unique IP address ranges for use on the networks at home - a real PITA. ---------------------------------------------------------------------------------------- Greg Winkler Systems Manager, IT&S Huntsman Corporation Internet Mail: [email protected] Voice:Fax:Shawn Kearley <[email protected]> To: [email protected] Sent by: Mailing list for discussion cc: of Firewall-1 Subject: Re: [FW-1] General Question on SecuRemote and SecureClient <[email protected] point.com> 03/11/02 07:04 AM Please respond to Mailing list for discussion of Firewall-1 The problem I am considering is not an overlap between the Home Network and the Corporate Network, The problem I am wondering about is when two remote users with the same local IP address connect to the corporate network at the same time, i.e.: Home User 1 192.168.1.100 -----| |-- Corporate Firewall --- Internal Network (192.168.100.x) Home User 2 | 192.168.1.100 -----| Will there be a problem with this connection if IP Pool NAT is not used? Shawn -----Original Message----- From: Don [mailto:[email protected]] Sent: March 11, 2002 12:04 PM To: [email protected] Subject: Re: [FW-1] General Question on SecuRemote and SecureClient > Over the weekend, I picked up for myself, a Linksis DSL router for home, and > when I was setting it up, I realized that using the defaults, as many users > would, anyone using one of these devices will be getting the same network, > and potentially the same IP address on their home system. > > What I am wondering about, is will I have any problems if two users, > establish a VPN connection to us, who are using the same internal IP Address > on their home system. By not using IP Pool NAT, the IP Address used within > the corporate network, is the same address on the home system. Will > Checkpoint correctly route the traffic to the correct Remote PC, or will I > likely run into difficulties. > > On a similar note, if I should enable IP Pool NAT to clear up the above > issue, will I need to re-deploy a USERC.C file to the remote PCs or is this > totally internal to the Firewall box. I am asking this because some of our > VPN users are remote vendors who were reluctant to use the software in the > first place, and I don't want to inconvenience them further unless I have > to. IP NAT Pool will not fix this problem. You need to use different addresses on your internal network or the home networks. -don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|