[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Hide NAT not working according to FAQ!!!



Hi;

I'm using trying to get Hide NAT working with Securemote build 4199, Cisco
760 and FW1 ver:

This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41510 [VPN +
DES + STRONG]

I've set Securemote to use UDP encapsulation and the user is set to use ESP,
MD5 and IKE with shared secret.

On the router, the following ports were set up go directly to the host with
Securemote installed:

261
500
2746

What I then saw in the firewall logs, was that the ESP packet was removed
from the UDP encapsulation, but the IP Address was rejected because it was a
non-routable IP address and not in our defined list of allowed hosts (I must
admit I was originally hoping to see the NAT devices IP address).

What could be going wrong?

I tried as a last resort to allow the non-routable IP address acces to some
internal hosts, just to get something working - but the error in FW log was
understandably that it could not contact the authentication agent on the
host (I presume that it was looking for the non-routable IP Address again).

Here is a dump of the traffic from the Firewall during the failed session...

 NAT-device -> fw1     UDP D=2746 S=65487 LEN=84
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=76
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=76
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=76
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=172
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=76
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=84
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=76
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=84
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=76
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=76
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=116
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=76
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=436
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=76
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=276
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=76
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=140
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=84
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=76
    fw1 -> NAT-device  UDP D=65487 S=2746 LEN=108
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=76
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=84
 NAT-device -> fw1     UDP D=2746 S=65487 LEN=84

finally Packet Rejected, Reason: Connection to Session Agent failed

Regards
  Chris

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================