| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concent rator
- To: [email protected]
- Subject: Re: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concent rator
- From: Brendan Laws <[email protected]>
- Date: Wed, 3 Sep 2003 09:58:39 +1000
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcNxdHuHHMwNbGRbRAyLPTd/xELTyQAOQU8w
- Thread-topic: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concent rator
Paul,
The tunnel is set up correctly, I send of a ping to something in the
partners VPN domain and the tunnel sets up fine, when I send any other
kind of traffic from my internal host it dies.
I can confirm the NATing works as if I sit on the internal host and say
browse a website from that PC, the source address given to the web
server is that of the statically NATed address (which is what needs to
happen)
It is only when traversing down the VPN tunnel does it not seem to be
using the NATed address as the source even though the log viewer is
telling me it has translated the address, the cisco at the other end is
seeing the 10.x address as the source, so firewall-1 is not NATing
properly through the VPN tunnel.
Cheers,
Brendan
-----Original Message-----
From: Paul Dawson [mailto:[email protected]]
Sent: Wednesday, 3 September 2003 2:36 AM
To: [email protected]
Subject: Re: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN
Concent rator
Hello,
What I would suggest doing is a snoop or a tcpdump on the ingress
(internal) interface and the egress (external) interface of your
firewall and grep for the remote address that you are attempting to
connect to.
See what addresses are being used on the internal and external
interfaces and confirm that you natting is working correctly.
Get the guy on the Cisco concentrator to send you a dump (no, not that
sort of dump:) of the logs.
If he is seeing your internal address then your natting is not working
correctly, full stop. He has an "encryption domain" specified in his
crypto-acl which does not contain your hosts internal address.
So look there first. I'd also suggest that you take special notice of
the SRC and DST (direction) of the packet in the log viewer and ensure
that you use the predefined VPN/IPSEC log query in the Smartview
Tracker.
I would say that you tunnel is NOT set up properly because you are
getting "no valid SA" which are the parameters to negotiate the
successfull build of an IPSEC tunnel.
Let us know how it goes.
Regards,
Paul Dawson
-----Original Message-----
From: Brendan Laws [mailto:[email protected]]
Sent: 02 September 2003 03:45
To: [email protected]
Subject: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN
Concentrator
Importance: High
Hi All,
I have come across this odd problem which is causing me some trouble, I
am hoping someone else has seen this and knows a solution.
I have SecurePlatform AI forming a 3DES VPN Tunnel to a Cisco VPN
Concentrator running OS 3.6.5 Nov2002
My problem is as follows, I have a internal network object (10.2.1.1/24)
statically NATed to 203.x.x.1/24 with VPN community defined
EXTPARTNER-VPN-HOSTS MYVPN-HOSTS
MYVPN-HOSTS EXTPARTNER-VPN-HOSTS
Due to the requirements of the partner I have my internal object
statically NATed to a public address, it is the public address that the
partners hosts inside of the VPN tunnel will make connections to and
from and vice versa.
If I sit on the machine (10.2.1.1/24 -- NATed 203.x.x.1) and send an
ICMP ping down the line to the partner host in the vpn domain
(202.1.x.1/24) the server replys and the VPN tunnel is formed and all is
well. If I look at my log I see the internal server XLATE to the public
NAT IP and the tunnel comes up, packets pass and everything is good.
BUT
Now I fire off a ftp connection to the same host and nothing happens, it
fails, and shortly after in my logs I see a drop with "no valid SA"
I confer with the other party running the Cisco side and he tells me,
when he sees the ICMP ping all is fine, but when I kick off the FTP
connection he see the SA deleted as the Cisco sees the source address of
the FTP connection as the internal address of 10.2.1.1/24 and not the
Public NAT address, thus the Cisco deletes the tunnel.
In my logs after a short wait I see a dropped ftp packet related to the
dead SA, however I see that according to the log viewer that the
internal server has been XLATED to the public NAT address.
Basically FW-1 is telling me it NATed the packet to the public IP but
the Cisco terminating the tunnel is seeing the private IP Address, this
deleting the tunnel.
I have tried using auto-NAT rules, manual NAT rules, but still I have
the same problems.
Thank you for any light you can shed on this matter
Cheers,
Brendan
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Please note that:
1. This e-mail may constitute privileged information. If you are not the
intended recipient, you have received this confidential email and any
attachments transmitted with it in error and you must not disclose,
copy, circulate or in any other way use or rely on this information. 2.
E-mails to and from the company are monitored for operational reasons
and in accordance with lawful business practices. 3. The contents of
this email are those of the individual and do not necessarily represent
the views of the company. 4. The company does not conclude contracts by
email and all negotiations are subject to contract. 5. The company
accepts no responsibility once an e-mail and any attachments is sent.
http://www.activis.com
This annotation was added by the e-scan service. http://www.activis.com
------------------------------------------------------------------------
----------
This message has been checked for all known viruses by e:)scan. For
further information please contact [email protected]
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
