Re: [FW-1] Problems with a natted firewall NGX

[carlopmart]

Do I need to setup real public IP under fw topology as external 
inferface? And on firewall's general tab too? i don't find dynamic 
interface resolving option ...

thanks.
Gary Scott wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Te res says to add the natted IP to your topology for the FW and enable
dynamic interface resolving for remote VPN clients.

- -GS

- -----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of
carlopmart
Sent: Friday, February 17, 2006 3:37 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Problems with a natted firewall NGX

I have tried to change private IP published by fw for public router IP 
in Userc.C Securemote client config without success. When cient 
connects to fw, userc.c is overwritted.

gary, i find this morning this solution from checkpint's website, but 
I can not have enterprise acces. Can somebody send me please this 
solution via email??? At this moment, this problem turns very urgent.

Thanks.


Gary Scott wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Better yet check out CP res. sk11682

- -GS

- -----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of chkp
tech
Sent: Friday, February 17, 2006 2:41 PM
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] Problems with a natted firewall NGX

If changing the userc_IKE_NAT value didn't solve your problem, then

I'd

suggest you get an fw monitor and an ike debug from the gateway.  With
the
ike debug you'll be able to see where in the process IKE fails and

why.

You
might be able to see from the fw monitor which packet IKE fails with.


1) To debug ike, run the command:
vpn debug ikeon

2) To turn on fw monitoring, run the command:
fw monitor -o mon.out

3) To bring the tunnel back up
Send traffic across the tunnel to initiate the tunnel

4) To stop the fw monitor, run the command:
ctrl + c to stop the fw monitor

5) To turn Ike debugging off, run the command:
vpn debug ikeoff
Review the ike.elg with wordpad and the fw monitor with ethereal.

Jason


On 2/17/06, carlopmart <[EMAIL PROTECTED]> wrote:


Hi all,

i am trying to setup a vpn for securemote clients. My firewall is a
NGX HF02 under RHEL 3. This firewall is natted by ADSL router. Under
Smartcenter server I have activated UDP encapsulation (NAT traversal)
to establish vpns betwwen natted securemote clients and this firewall.
Well, this configuration does not works for me.

Under SecuRemote userc.C config file I see this params:

: (VPNHome.isildur
     :obj (
             : (192.168.67.193)
                     )
                     :keymanager (
                             :type (refobj)
                             :refname ("#_VPNHome")
                     )
                     :allowed_interface_ranges (
                             : (192.168.67.193
                                     :allowed_range (
                                             : (
                                                     :type
(machines_range)
                                                     :ipaddr_first (
0.0.0.0)
                                                     :ipaddr_last (
255.255.255.255)
                                             )
                                     )
                                     :is_ext (true)
                                     :is_natted (false)
                             )
                     )
                     :resolve_interface_ranges (true)
                     :ifaddrs (
                             : (192.168.67.193)
                             : (172.16.76.6)
                             : (192.168.100.65)

In this securemote configuration you will see this: is_natted
(false). How can I change this param under firewall, because is a
natted device ?? Do i need to use IKE over tcp to change this value?.

Thanks for your help.

--
CL Martinez
carlopmart {at} gmail {d0t} com


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.0.5

iQEVAwUBQ/YsVFISzo1jkIXNAQg+Egf/TC40m6PXVHo3KnyqvKpCBPM9UHLARw21
zS0FgArdRebCkdUvz6Yitoo/mK9BP/DK3xTnOTmwhbnJm0LQB2H9hAQcr12qRu00
uPdrq3C5avKsJZUYJTBt/gd2iEMqFplXWDZA0SPMeXYcXTjDRhNN/tZO1u0x4lj8
mOuGlMkdn37kBLkVg7n/QEgwOwZzq3f1GaHK43gz7pjX1wlBtXRSsTtIvR+anaXK
81HB4NmPAnoC1tdoRRdAepzmbdjeDxJCDVKBjSj8IprPgqPd8yIXZ1jgRWX9jZiU
d/BT7zdqTAQkQ3K0+KGIG6uc1jnIXw7XigphHPlcn3eooRbTzNKK0w==
=yo5u
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================



- -- 
CL Martinez
carlopmart {at} gmail {d0t} com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.0.5

iQEVAwUBQ/Y9glISzo1jkIXNAQjBZwgAp7yN4V2JrSq6HNXT9L0Qq9BUvoj16AEk
BBHXrmnr6E3VFHykieJpbF7wb6TajFM3jeQzLmH5AMmM1JA63Zsh/8A3JLoR8r4Q
SR8935/+Khk8tNjVZF4DC2QHf/FpBbC+EdsfKu6+pvyU/Yn3frhheuUJNEu9WQBU
3n+rzQxmVeoJQrpwoE4cKOzVFLiW+fomW4PY/AMOT6TcJ8zPjYAfzte4lA5jS7fY
IfyPnYxFCNapofpFt4vAIAzrMq1zx0SBttXuZAqg1Lzb3UnkRzPQ/y/HctGnCSVS
Qe8fHqNmzzWVRpOUT4oECOpjfnHBWH4PW/Y7RVCQzGore1d7UYsczw==
=gEpl
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


--
CL Martinez
carlopmart {at} gmail {d0t} com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================