|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN Concent rator
Brendan, I came across a similar problem when I was setting up a VPN between a Concentrator and NG FP3. After months of work, I found out that the encryption domains on both peers must be defined exactly the same way. What happens is that when the Check Point gateway (and any other regular IPSEC gateway) assambles the encrypted packet there is some information on it regarding the encryption domain. The Cisco receives the packet and it checks if the ID the packet carries corresponds to what it has defined in his encryption domain. Originally, on the Check Point peer I had defined as the encryption domain a group composed of many networks. I didn't want to reveal that to the Cisco Peer lad, but I had to. Otherwise, the tunnel was unidirectional. Only Cisco's domain could have access to Check Point's domain, but not the other way around. Do you have that same problem?. Does the Cisco side have access to your network through the VPN with no problem?. If so, match the encryption domains. May be you could try creating a host defined with the NATed address the users will have access and add it to the encryption domain (create a group). Does it work if you don't NAT?. Hope this helps, L. On Tue, 2003-09-02 at 19:58, Brendan Laws wrote: > Paul, > > The tunnel is set up correctly, I send of a ping to something in the > partners VPN domain and the tunnel sets up fine, when I send any other > kind of traffic from my internal host it dies. > > I can confirm the NATing works as if I sit on the internal host and say > browse a website from that PC, the source address given to the web > server is that of the statically NATed address (which is what needs to > happen) > > It is only when traversing down the VPN tunnel does it not seem to be > using the NATed address as the source even though the log viewer is > telling me it has translated the address, the cisco at the other end is > seeing the 10.x address as the source, so firewall-1 is not NATing > properly through the VPN tunnel. > > Cheers, > > Brendan > > -----Original Message----- > From: Paul Dawson [mailto:[email protected]] > Sent: Wednesday, 3 September 2003 2:36 AM > To: [email protected] > Subject: Re: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN > Concent rator > > > Hello, > > What I would suggest doing is a snoop or a tcpdump on the ingress > (internal) interface and the egress (external) interface of your > firewall and grep for the remote address that you are attempting to > connect to. > > See what addresses are being used on the internal and external > interfaces and confirm that you natting is working correctly. > > Get the guy on the Cisco concentrator to send you a dump (no, not that > sort of dump:) of the logs. > > If he is seeing your internal address then your natting is not working > correctly, full stop. He has an "encryption domain" specified in his > crypto-acl which does not contain your hosts internal address. > > So look there first. I'd also suggest that you take special notice of > the SRC and DST (direction) of the packet in the log viewer and ensure > that you use the predefined VPN/IPSEC log query in the Smartview > Tracker. > > I would say that you tunnel is NOT set up properly because you are > getting "no valid SA" which are the parameters to negotiate the > successfull build of an IPSEC tunnel. > > Let us know how it goes. > > Regards, > > Paul Dawson > > > > -----Original Message----- > From: Brendan Laws [mailto:[email protected]] > Sent: 02 September 2003 03:45 > To: [email protected] > Subject: [FW-1] VPN + Secure Platform NAT problems + Cisco VPN > Concentrator > Importance: High > > > Hi All, > > I have come across this odd problem which is causing me some trouble, I > am hoping someone else has seen this and knows a solution. > > I have SecurePlatform AI forming a 3DES VPN Tunnel to a Cisco VPN > Concentrator running OS 3.6.5 Nov2002 > > My problem is as follows, I have a internal network object (10.2.1.1/24) > statically NATed to 203.x.x.1/24 with VPN community defined > > EXTPARTNER-VPN-HOSTS MYVPN-HOSTS > MYVPN-HOSTS EXTPARTNER-VPN-HOSTS > > Due to the requirements of the partner I have my internal object > statically NATed to a public address, it is the public address that the > partners hosts inside of the VPN tunnel will make connections to and > from and vice versa. > > If I sit on the machine (10.2.1.1/24 -- NATed 203.x.x.1) and send an > ICMP ping down the line to the partner host in the vpn domain > (202.1.x.1/24) the server replys and the VPN tunnel is formed and all is > well. If I look at my log I see the internal server XLATE to the public > NAT IP and the tunnel comes up, packets pass and everything is good. > > BUT > > Now I fire off a ftp connection to the same host and nothing happens, it > fails, and shortly after in my logs I see a drop with "no valid SA" > > I confer with the other party running the Cisco side and he tells me, > when he sees the ICMP ping all is fine, but when I kick off the FTP > connection he see the SA deleted as the Cisco sees the source address of > the FTP connection as the internal address of 10.2.1.1/24 and not the > Public NAT address, thus the Cisco deletes the tunnel. > > In my logs after a short wait I see a dropped ftp packet related to the > dead SA, however I see that according to the log viewer that the > internal server has been XLATED to the public NAT address. > > Basically FW-1 is telling me it NATed the packet to the public IP but > the Cisco terminating the tunnel is seeing the private IP Address, this > deleting the tunnel. > > I have tried using auto-NAT rules, manual NAT rules, but still I have > the same problems. > > Thank you for any light you can shed on this matter > > Cheers, > > Brendan > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > > > Please note that: > > 1. This e-mail may constitute privileged information. If you are not the > intended recipient, you have received this confidential email and any > attachments transmitted with it in error and you must not disclose, > copy, circulate or in any other way use or rely on this information. 2. > E-mails to and from the company are monitored for operational reasons > and in accordance with lawful business practices. 3. The contents of > this email are those of the individual and do not necessarily represent > the views of the company. 4. The company does not conclude contracts by > email and all negotiations are subject to contract. 5. The company > accepts no responsibility once an e-mail and any attachments is sent. > > http://www.activis.com > > > This annotation was added by the e-scan service. http://www.activis.com > ------------------------------------------------------------------------ > ---------- > This message has been checked for all known viruses by e:)scan. For > further information please contact [email protected] > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= ************************* Leonardo Boulton Security Engineer Cybertech Projects [email protected] GnuPG pub Key: Upon Request Tlf:Caracas, Venezuela ************************* ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
