We had a problem like this when we turned encapsulation off for FWZ encryption. The VPN clients could connect, but no traffic was passed through the tunnel. We are trying to allow NATed SecureRemote client connections through our checkpoint 4.0 FW-1. We followed the instructions on Phoneboys www.phoneboy.com site, but so far we have not been able to pass any traffic without encapsualtion. The problem with NAT is that it re-writes the source address as its own which invalidates the packets checksum. When it is received at the remote end the device calculates the checksum again. When it does not match the original (because of the NATed address) the packet is discarded. If you can configure the firewall to pass packets with a bad md5 checksum it will work. Unfortunately I am not sure how to affect that configuration change. HTH
Ken Claussen MCSE CCNA CCA
[EMAIL PROTECTED]
"The Mind is a Terrible thing to Waste!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Abdul Hakim
Sent: Wednesday, October 25, 2000 12:25 AM
To: '[EMAIL PROTECTED]'
Subject: VPN and check point
Hi all,
we are using a intel shiva VPN box which is sitting behind a check point
fw-1. the tunnell gets established between the two vpn boxes but the
machines on the other side of the tunnell cannot be pinged with checkpoint
running, but when you stop the firewall and ping it happens.
The policy on the firewall was changed to allow any source to any
destination for any service or ports, even after making this change the
firewall behaves in the same fashion ie the hosts on the other end of the
tunnell will ping only if the firewall is shut.
we are doing NAT on the firewall.
Any body having clue of what/where the problem could be. thanks in advance
for your valuable inputs.
abdul hakim.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
