On the second firewall, the encryption should take place on the address
used by the NAT translation (the outside address). Are you encrypting
based on the outside address, or on the internal, private addresses?
In other words, if you have a setup like this:
LAN-using-192.168.1.0---<FW1 w/NAT>---VPN-using-204.233.3.0---<FW2>---etc
On FW2's ruleset, are you encrypting based on the 192.168.1.0 address or
the 204.233.3.0 address? You should be encrypting on the 204.233.3.0.
If that's not the problem, I'm not sure what else to say except go wild on
the logging and see what's happening. It's possible that you have a crypt
algorithm mismatch or something of that sort. If you don't see any
encrypt/decrypt messages in the logs, then it's most likey a rule set to
encrypt on a wrong source address.
On Fri, 29 Jun 2001, Madhur Nanda wrote:
> Hi ,
>
> i am testing a setup where i have three firewalls in a chain,
>
> the first and second firewall form a g/w to g/w VPN and then secon and
> third form another VPN. The second firewall has two interface and as
> such it forms VPN with its peer on different interface. I wish to allow
> traffic originating from encryption domain of firewall one to systems in
> encryption domain of firewall three. The second firewall comes in the
> middle and mediates the traffic. I m using NAT rules on the second
> firewall so as to distiguish between encryption domains on second
> firewall.
> The traffic reaches the second firewall as desired ( encrypt -> NAt->
> ??) But when it leaves the second firewall it is not getting encrypted
> and going plainly.....
>
> can some one throw some light on it????
>
> 1) NAT takes place at only one interface??
> 2) FW-1 can form encryption VPN on two interface???
>
> TIA
>
> regds
> Madhur
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
