When you say "tracert the NetScreen network" are
you saying that traffic initiated from the HQ network is getting a reply from a
router between the FW-1 and the NS boxes?
If that *is* the case... the HQ-initiated traffic
isn't going through the VPN... you should never see a reply from a box between
the two gateway devices if the traffic is being pushed into the
tunnel.
Also, do you have both incoming *and* outgoing
policies set on the NS? Or just a single outgoing? You need both to
get bidirectional traffic.
--- Russell Washington, CCSE, CCSA, NCSA Too
many doggoned letters after my name.../
----- Original Message -----
Sent: Tuesday, February 11, 2003 1:02
PM
Subject: Re: [FW-1] VPN/NAT help need for
FW 4.1 and Netscreen 5XP.
Hi
Ed,
I have the
following configurations and problems.
HQ Network
--à FW-1 4.1 (running on NT 4.0)
à trying to
setup VPN to ß-Netscreen 5XP (NAT mode)
ß-- Remote Network Non
Routable
HQ
Network: Full Class C - Public
IPs.
One Public
IP
- Private Non routable
IPs
Here are the
problems:
-
If I try to setup VPN
tunnel following the Checkpoint/NS docs, it does not work! No ping, nothing
between the two sites but I can see encrypted traffic on the Checkpoint log
viewer. However, both External gateways external IPs can ping each other but
no internal traffic.
-
If I removed the VPN
tunnels and change the rules on both sides to permit/allow all traffic between
the two networks, it works only one side: the Netscreen network can ping and
access everything on the FW-1 network but the network behind the FW-1 can't!
no ping, no trace, nothing, the worst is even that, when I try to tracert the
Netscreen network it goes up to the 3rd hop after the router then
stat looping. So, I thought it was a routing issues and I have added static
route both side but it did not solve the problem.
Thanks
Serge
-----Original
Message----- From: Ed Valasek
[mailto:[email protected]] Sent: Tuesday, February
11, 2003 9:42
PM To:
[email protected] Subject: Re: [FW-1] VPN/NAT help need for
FW 4.1 and Netscreen 5XP.
I have
successfully setup CP FW-1 4.1 on NT to a NS 5XP.
Well to
begin with, the documentation you get from NS is not correct. It is to a
point, but there are rules you need to add to the NS device and CP FW-1 that
are not listed.
Have you
begun the setup yet? Can you provide me with some info on your network
topology as far as IP structure etc? I will help you as much as possible. It
took me an entire month to figure out what I needed to do to get mine working.
How far along have you gotten so far? Are Phase 1 and Phase 2 working? Do the
FW-1 logs show communication between the two networks?
-----Original
Message----- From: Serge
Vondandamo [mailto:[email protected]] Sent: Tuesday, February
11, 2003 2:31
PM To:
[email protected] Subject: [FW-1] VPN/NAT help need for
FW 4.1 and Netscreen 5XP. Importance: High
Hi guys,
Does anyone have tips, docs (not from Checkpoint),
information or experience in configuring a VPN tunnel between FW 4.1 and
Netscreen (Netscreen does NAT,)?
I can't just make it work.
Any help, idea, doc, tips will be highly
appreciated.
Regards Serge
|