[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Conflicting IPs for tunnel & Locally connected machines.
It's possible to do source address NAT, based on destination, if you use manual NAT rules. They would have to sit higher in the Address Translation rulebase than the automatic NAT rules (which it sounds like you're using). If that doesn't work, I'd suggest doing manual NAT rules for both cases; a specific rule/rules to deal with your problem situation first, and then a more generalized rule to catch everything else. I'm thinking something like: Source IP/Dest IP/Service --> New Source IP/Original/Original 192.168.60.x/192.168.200.x/Any --> 172.16.60.x/Original/Original 192.168.60.x/Any/Any --> 172.16.60.x/Original/Original The order, again, makes the difference. Flip them around and it does no good. The NAT box in the middle could work-- I think-- but you'd still have the issue of NAT for the routable IPs. With that in mind I would think that a CP-only solution, if you can get it to work, would be the best option. Not sure about your "unexpected SYN response"-- haven't researched that one before. Maybe someone else can offer some insight on that... -Russ ----- Original Message ----- From: "Jarmoc, Jeff R." <[email protected]> To: <[email protected]> Sent: Tuesday, February 11, 2003 11:16 AM Subject: Re: [FW-1] Conflicting IPs for tunnel & Locally connected machines. The problem is that the traffic will be mostly originating from our internal machines. Since the internal machines are already set up to NAT traffic to their routable IPs, I'm not sure this is possible. It'd require being able to NAT to a different IP depending on the destination. Is that possible? We've also given some thought to using a standalone NAT device patched into a different interface on the firewall. -----Original Message----- From: Russell Washington [mailto:[email protected]] Sent: Tuesday, February 11, 2003 12:20 PM To: [email protected] Could you NAT your 192.168.60.x-originating traffic to a non-conflicting IP range, and negotiate the tunnel for the NAT-ed range on your side instead of 192.168.60.x? Or does CP's order of operations preclude this? Seems like a logical approach to me and I've pulled this off on a NetScreen, but I admit I've never done this on a CP. --- Russell Washington, CCSE, CCSA, NCSA Too many doggoned letters after my name.../ ----- Original Message ----- From: "Jarmoc, Jeff R." <[email protected]> To: <[email protected]> Sent: Tuesday, February 11, 2003 9:23 AM Subject: [FW-1] Conflicting IPs for tunnel & Locally connected machines. I've got a somewhat unique situation which I'm hoping you all can help with. Due to restrictions of a co-located environment, I'm stuck in an awkward situation, here's the rundown; Nokia IP300 series running NG SP3 w/ hotfix. Two active interfaces External interface - using routable IP Internal interface - using 192.168.60.1 IP Three internal servers - each with a 192.168.60.x IP, and 255.255.255.0 mask. VPN connectivity to approximately 50 remote sites, each using a 192.168.x class C network. Here's the problem. Our managed hosting provide runs a server on their network which our application servers need to communicate with. This server is available on the wire connected to our external interface, however, they've assigned it an IP address of 192.168.200.200 with a class B subnet mask! The result of this is that if I add an IP on our firewall's external int which communicates to their server, we lose our tunnel. I've even tried using a class C mask on our side since we luckily don't have a class C network using their address space, but this still causes our tunnel to drop. Is there anything I can do to enable our servers to connect to this server while still having our tunnel active? I realize the best solution would be for our coloc manager to change their servers IP address, but they aren't receptive to that idea. Any help you all can provide would be greatly appreciated. If you need any more information I'll be happy to provide it. ** IP addresses have been changed to protect the innocent ** Jeff Jarmoc CCSA, CCNA, MCSE [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|