Re: [FW-1] General Question on SecuRemote and SecureClient

[Greg Winkler <Greg_Winkler@FW1-NOSPAMHUNTSMAN.COM>]

In my experience this DOES cause a problem. IP NAT pool will not be able to
distinguish between home user 1 and home user 2 and will assume they are
the same host. Consequently it will assign the same IP NAT pool address to
each host. I tested this specifically. Looking at the FW log you can see
that both get the same IP NAT pool address. I confirmed by doing an FTP to
an internal server and viewed the FTP connections log and this server saw
the two distinct hosts as the SAME IP address. You are playing with fire at
this point. Applications do seem to work ok. However, at the point where
both users happen to choose the same TCP source port I think it will break.
The only solution that I know of is to dole out unique IP address ranges
for use on the networks at home - a real PITA.

----------------------------------------------------------------------------------------

Greg Winkler
Systems Manager, IT&S
Huntsman Corporation
Internet Mail: greg_winkler@huntsman.com
Voice:Fax:Shawn Kearley
                    <skearley@NEWFOUNDLANDPOWER.COM>            To:     FW-1-MAILINGLIST@beethoven.us.checkpoint.com
                    Sent by: Mailing list for discussion        cc:
                    of Firewall-1                               Subject:     Re: [FW-1] General Question on SecuRemote and SecureClient
                    <FW-1-MAILINGLIST@beethoven.us.check
                    point.com>


                    03/11/02 07:04 AM
                    Please respond to Mailing list for
                    discussion of Firewall-1





The problem I am considering is not an overlap between the Home Network and
the Corporate Network, The problem I am wondering about is when two remote
users with the same local IP address connect to the corporate network at
the
same time, i.e.:

Home User 1
192.168.1.100 -----|
                   |-- Corporate Firewall --- Internal Network
(192.168.100.x)
Home User 2        |
192.168.1.100 -----|

Will there be a problem with this connection if IP Pool NAT is not used?

Shawn

-----Original Message-----
From: Don [mailto:don@BLACKSUN.ORG]
Sent: March 11, 2002 12:04 PM
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: Re: [FW-1] General Question on SecuRemote and SecureClient


> Over the weekend, I picked up for myself, a Linksis DSL router for home,
and
> when I was setting it up, I realized that using the defaults, as many
users
> would, anyone using one of these devices will be getting the same
network,
> and potentially the same IP address on their home system.
>
> What I am wondering about, is will I have any problems if two users,
> establish a VPN connection to us, who are using the same internal IP
Address
> on their home system.  By not using IP Pool NAT, the IP Address used
within
> the corporate network, is the same address on the home system.  Will
> Checkpoint correctly route the traffic to the correct Remote PC, or will
I
> likely run into difficulties.
>
> On a similar note, if I should enable IP Pool NAT to clear up the above
> issue, will I need to re-deploy a USERC.C file to the remote PCs or is
this
> totally internal to the Firewall box.  I am asking this because some of
our
> VPN users are remote vendors who were reluctant to use the software in
the
> first place, and I don't want to inconvenience them further unless I have
> to.
IP NAT Pool will not fix this problem. You need to use different addresses
on your internal network or the home networks.

-don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================