NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Conflicting IPs for tunnel & Locally connected machines.



It's possible to do source address NAT, based on destination, if you use
manual NAT rules.  They would have to sit higher in the Address Translation
rulebase than the automatic NAT rules (which it sounds like you're using).
If that doesn't work, I'd suggest doing manual NAT rules for both cases; a
specific rule/rules to deal with your problem situation first, and then a
more generalized rule to catch everything else.

I'm thinking something like:

Source IP/Dest IP/Service --> New Source IP/Original/Original

192.168.60.x/192.168.200.x/Any --> 172.16.60.x/Original/Original
192.168.60.x/Any/Any --> 172.16.60.x/Original/Original

The order, again, makes the difference.  Flip them around and it does no
good.

The NAT box in the middle could work-- I think-- but you'd still have the
issue of NAT for the routable IPs.  With that in mind I would think that a
CP-only solution, if you can get it to work, would be the best option.

Not sure about your "unexpected SYN response"-- haven't researched that one
before.  Maybe someone else can offer some insight on that...

-Russ

----- Original Message -----
From: "Jarmoc, Jeff R." <[email protected]>
To: <[email protected]>
Sent: Tuesday, February 11, 2003 11:16 AM
Subject: Re: [FW-1] Conflicting IPs for tunnel & Locally connected machines.


The problem is that the traffic will be mostly originating from our
internal machines.  Since the internal machines are already set up to
NAT traffic to their routable IPs, I'm not sure this is possible.  It'd
require being able to NAT to a different IP depending on the
destination.  Is that possible?

We've also given some thought to using a standalone NAT device patched
into a different interface on the firewall.

-----Original Message-----
From: Russell Washington [mailto:[email protected]]
Sent: Tuesday, February 11, 2003 12:20 PM
To: [email protected]

Could you NAT your 192.168.60.x-originating traffic to a non-conflicting
IP
range, and negotiate the tunnel for the NAT-ed range on your side
instead of
192.168.60.x?

Or does CP's order of operations preclude this?  Seems like a logical
approach to me and I've pulled this off on a NetScreen, but I admit I've
never done this on a CP.
---
Russell Washington, CCSE, CCSA, NCSA
Too many doggoned letters after my name.../

----- Original Message -----
From: "Jarmoc, Jeff R." <[email protected]>
To: <[email protected]>
Sent: Tuesday, February 11, 2003 9:23 AM
Subject: [FW-1] Conflicting IPs for tunnel & Locally connected machines.


I've got a somewhat unique situation which I'm hoping you all can help
with.  Due to restrictions of a co-located environment, I'm stuck in an
awkward situation, here's the rundown;

Nokia IP300 series running NG SP3 w/ hotfix.
Two active interfaces

External interface - using routable IP
Internal interface - using 192.168.60.1 IP

Three internal servers - each with a 192.168.60.x IP, and 255.255.255.0
mask.

VPN connectivity to approximately 50 remote sites, each using a
192.168.x class C network.

Here's the problem.  Our managed hosting provide runs a server on their
network which our application servers need to communicate with.  This
server is available on the wire connected to our external interface,
however, they've assigned it an IP address of 192.168.200.200 with a
class B subnet mask!

The result of this is that if I add an IP on our firewall's external int
which communicates to their server, we lose our tunnel.  I've even tried
using a class C mask on our side since we luckily don't have a class C
network using their address space, but this still causes our tunnel to
drop.

Is there anything I can do to enable our servers to connect to this
server while still having our tunnel active?  I realize the best
solution would be for our coloc manager to change their servers IP
address, but they aren't receptive to that idea.  Any help you all can
provide would be greatly appreciated.  If you need any more information
I'll be happy to provide it.

** IP addresses have been changed to protect the innocent **

Jeff Jarmoc
CCSA, CCNA, MCSE
[email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.