[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Site to Site VPN Question
You are correct so far as I know-- if you do a hide NAT for all your internal nets and use that within your encryption domain, that should do the trick. If the traffic is getting out bearing 172.16.x.x source addresses, then this boils down to how the NAT is being handled at your end rather than this being a network addressing problem. On FW-1 4.x this was weird but straightforward. NAT was done last, so your encryption rule for outbound traffic specified the 'real' internal address, and you would couple this with a NAT rule that hid everything. The rule did its job first, the NAT did its job next, packet hits the other side with a translated source address. On NG I'm not sure how NAT gets done, although I gather it has changed as well as being configurable. I'm also not sure how automatic rules get applied by default in this scenario. But I *am* certain that if your NAT gets applied before the security policy rule, and the rule itself is based on how the packet looks pre-NAT, then it obviously won't work. This just begs for a sniffer, or at least a really close look at the logs... What do your logs tell you? Anything? -----Original Message----- From: Kevin Buckley [mailto:[email protected]] Sent: Thursday, May 02, 2002 6:30 PM To: [email protected] Subject: Re: [FW-1] Site to Site VPN Question I don't really remember if it had the source address or the hide NAT address, I will try to setup the test again tomorrow. The VPN is me ----> him (one way) and it is my internal networks (encryption domain) that is a conflict on his side. From articles I have found it sounds like I should be able to do a hide NAT for all my internal networks and he use that as my encryption domain fine. Thanks for the help, I will keep trying. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Russell Washington Sent: Tuesday, April 30, 2002 11:46 AM To: [email protected] Subject: Re: [FW-1] Site to Site VPN Question Hmmm. Let me ask you this. With the test net that you set up (successfully), what did the traffic look like that was coming out of your firewall? More specifically, when your vendor receives a ping (or whatever) through that VPN from your side, does the packet bear a source address of 172.16.x.x or does it bear your hide NAT address? If the latter, then I'm lost as to why this doesn't work when you shift back to your production net. If the former, your automatic NAT isn't doing squat with respect to the VPN traffic, and may in fact be the very source of your problem. BTW guys, feel free to jump in anytime :) -----Original Message----- From: Kevin Buckley [mailto:[email protected]] Sent: Monday, April 29, 2002 7:44 PM To: [email protected] Subject: Re: [FW-1] Site to Site VPN Question I'm looking at a one way VPN with all traffic being generated from me. So in my current setup I have all my internal networks Hide NAT to an IP(public)that is different than checkpoint external nic's ip. This IP(NAT) would than be considered my encryption domain with my vendor instead of my internal network ip scheme being used(the one in conflict with another client of the vendors)????? On my fw in the global properties for NAT I have checked: Automatic rules intersection Automatic ARP configuration Not checked: Perform destination translation on the client side So would I have to still add manual NAT rules since the automatic option is chosen???? Example of my IP's My external interface FW: 206.289.2.20 Hide NAT for internal network: 206.289.2.25 My internal network: 172.16.x.x (Vendor has another client configured for this encryption domain) Vendor's IP's Network I will be connecting to: 197.188.64.x FW external IP: 165.69.54.88 Thanks for the help Kevin -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Russell Washington Sent: Monday, April 29, 2002 10:37 AM To: [email protected] Subject: Re: [FW-1] Site to Site VPN Question You shouldn't have to renumber your network or anything that drastic. I have a client who has this situation occur frequently; in such cases, we use NAT rules on the Checkpoint to translate our internal addresses to something else when talking to the hosts on the other side. You should be able to set up something similar. Basically, in the addressing policy, we're talking about a rule that looks something like the following if the access you need is strictly him --> you: Rule 1: Original Packet: His IP or net (src) --> Fake host IP for your internal box that doesn't conflict w/his net (dest) --> Any (svc) Translated Packet: Original (src) --> Actual IP of your internal host (dest) --> Any (svc) Rule 2: Original Packet: Actual IP of your internal host (src) --> His IP or net (dest) --> Any (svc) Translated Packet: Fake host IP for your internal box that doesn't conflict w/his net --> Original (dest) --> Any (svc) You should have one pair of NAT rules for any internal host that your vendor needs to touch. Hope this helps. -----Original Message----- From: Kevin Buckley [mailto:[email protected]] Sent: Sunday, April 28, 2002 8:04 AM To: [email protected] Subject: [FW-1] Site to Site VPN Question I need to set up a VPN site to site with a vendor. I gave the vendor my encryption domain and he said he already had that IP scheme used by a different client. I setup a test network with an IP scheme he didn't have being used by anyone else and we can get everything to work great. The problem is I need to be able to set it up using the IP scheme used through out or company. Any ideas????? I am running checkpoint NG FP1 I have all my internal networks configured for hide NAT behind an IP different than the external IP of the firewall. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|