[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concent rator
Hello, What I would suggest doing is a snoop or a tcpdump on the ingress (internal) interface and the egress (external) interface of your firewall and grep for the remote address that you are attempting to connect to. See what addresses are being used on the internal and external interfaces and confirm that you natting is working correctly. Get the guy on the Cisco concentrator to send you a dump (no, not that sort of dump:) of the logs. If he is seeing your internal address then your natting is not working correctly, full stop. He has an "encryption domain" specified in his crypto-acl which does not contain your hosts internal address. So look there first. I'd also suggest that you take special notice of the SRC and DST (direction) of the packet in the log viewer and ensure that you use the predefined VPN/IPSEC log query in the Smartview Tracker. I would say that you tunnel is NOT set up properly because you are getting "no valid SA" which are the parameters to negotiate the successfull build of an IPSEC tunnel. Let us know how it goes. Regards, Paul Dawson -----Original Message----- From: Brendan Laws [mailto:[email protected]] Sent: 02 September 2003 03:45 To: [email protected] Subject: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concentrator Importance: High Hi All, I have come across this odd problem which is causing me some trouble, I am hoping someone else has seen this and knows a solution. I have SecurePlatform AI forming a 3DES VPN Tunnel to a Cisco VPN Concentrator running OS 3.6.5 Nov2002 My problem is as follows, I have a internal network object (10.2.1.1/24) statically NATed to 203.x.x.1/24 with VPN community defined EXTPARTNER-VPN-HOSTS MYVPN-HOSTS MYVPN-HOSTS EXTPARTNER-VPN-HOSTS Due to the requirements of the partner I have my internal object statically NATed to a public address, it is the public address that the partners hosts inside of the VPN tunnel will make connections to and from and vice versa. If I sit on the machine (10.2.1.1/24 -- NATed 203.x.x.1) and send an ICMP ping down the line to the partner host in the vpn domain (202.1.x.1/24) the server replys and the VPN tunnel is formed and all is well. If I look at my log I see the internal server XLATE to the public NAT IP and the tunnel comes up, packets pass and everything is good. BUT Now I fire off a ftp connection to the same host and nothing happens, it fails, and shortly after in my logs I see a drop with "no valid SA" I confer with the other party running the Cisco side and he tells me, when he sees the ICMP ping all is fine, but when I kick off the FTP connection he see the SA deleted as the Cisco sees the source address of the FTP connection as the internal address of 10.2.1.1/24 and not the Public NAT address, thus the Cisco deletes the tunnel. In my logs after a short wait I see a dropped ftp packet related to the dead SA, however I see that according to the log viewer that the internal server has been XLATED to the public NAT address. Basically FW-1 is telling me it NATed the packet to the public IP but the Cisco terminating the tunnel is seeing the private IP Address, this deleting the tunnel. I have tried using auto-NAT rules, manual NAT rules, but still I have the same problems. Thank you for any light you can shed on this matter Cheers, Brendan ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.activis.com This annotation was added by the e-scan service. http://www.activis.com ---------------------------------------------------------------------------------- This message has been checked for all known viruses by e:)scan. For further information please contact [email protected] ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|