You can enable IP NAT pool for SecuRemote connections. When a client
connects to you, it nats the address as it comes inbound to an address in
the pool. I had to set this up because I have a machine with 192.168.1.2 on
my network, and someone from home was on 192.168.1.2, the packets would
ingress, but they would route to the internal client on the egress. I setup
an IP nat pool of 192.168.210.x for SecuRemote connections. So far it
appears to work well.
You have to create a network object for your pool network. Then in global
properties I believe, enable IP Pool NAT under Remote Access. Sorry don't
have smartcenter in front of me. Then you need to assign the pools under
the enforcement center properties on the NAT tab for IP Pool Network.
Install policy and then have someone outside of the encryption domain fire
it up and see if it translates them.
You can click on VPN in smarttracker, and see the XlateSrc NAT field with
the appropriate values. This also will help if you have an IDS sitting
behind your firewall, because if you see an alert from this IP Pool network,
you know it's coming from the outside via VPN, or could be....
Derek
-----Original Message-----
From: Mr.Bert Wilson [mailto:[email protected]]
Sent: Wednesday, October 08, 2003 5:23 PM
To: [email protected]
Subject: Re: [FW-1] SecureRemote / Network Addressing / Userc.C
Did you try it?
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:[email protected]]On Behalf Of Jason
>Badry
>Sent: Wednesday, October 08, 2003 5:34 PM
>To: [email protected]
>Subject: [FW-1] SecureRemote / Network Addressing / Userc.C
>
>
>I am running into a situation where a remote client site network addressing
>range is overlapping with my LAN addressing range, and so I have to leave
>my network to establish a SecureRemote connection.
>
>Desktop: Win2KSP4 / SecureRemote 4.1SP5 build 4200.
>Local Lan: 192.168.x
>
>The problem is I've run into the situation where I have clients at various
>sites which are all using different private addressing (10.x.x.x,
>172.x.x.x, 192.168.x.x). I have the least amount of overlap in the
>192.168.x space, and that is why we setup our LAN there.
>
>I have been looking at the userc.c file that SecureRemote contains, and my
>question is:
>1. Would this example work (I haven't managed to get it working so far):
>- say my LAN is at 192.168.100.x
>- at the remote Client, the server(s) I am maintaining are in 192.168.200.x
>- can I remove all references to 192.168.100.x from the userc.c file? I do
>not need to connect to any servers in this space at the remote site.
>
>Any suggestions would be appreciated. Public addressing would be a good
>solution, but I don't know how feasible/possible it would be to
>implement that.
>
>Thanks,
>
>.. Jason Badry
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================