Should the Edge X device be able to NAT nodes from LAN for connections going through an enterprise vpn ?
Edge X, fw 6.0.74, connected to a NGAIR55 management station with libsw 6.0.81. Lan network is 10/8 (customer, don't ask), DMZ port is 172.19.29/24. Local vpn endpoint are a couple of NGAIR55 nokia modules running vrrp. Local network is 172.18.1/24. The management console has defined: - the local nokia cluster object, encryption domain manual, contains 172.18/16 and other networks (no 10 network) - the edge object, encryption domain manual, contains 172.19.29/24 - a nat rule 10/8->172.18.1/24 port any, translate to 172.19.29.200(hide)->original port original, install on "the Edge configuration container" - relevant security rules permitting traffic, install on "the nokia cluster object" When trying to connect from a node on the physical dmz port network (real IP 172.19.29.x) tunnel comes up normally, all ok. When trying to connect from a LAN 10/8 node to a 172.18.1 node (source should be hide-natted to 172.19.29.200) trackers has these logs: - Ike Main mode completition - Ike quick mode completition for 172.28/16 and <edge public ip address> - Ike quick mode completition for <edge public ip address> and 10/8 (which is not mentioned in any encryption domain) - Ike quick mode completition for 172.18/16 and 10/8 - drop <10 node ip>-><172.18 ip> "encryption failure: Cannot identify peer for encrypted connection (VPN Error code 04)" but no quick mode for 172.19/29 and 172.18/16 (and the connection fails). "info nat" on Edge does not show any entry. I also tried to nat the lan nodes on a network different than the dmz port, (with correct encryption domains), doesn't work either. I also tried nat 10/8->any (always nat) and so on, never seemd to be used, as if nat is ignored if the traffic goes into a tunnel. Is there any solution to this, am I doing something wrong ? Performing nat on the central endpoint would create loads of conflict due to that 10/8 network. Thanks Heiko -- -- PREVINET S.p.A. www.previnet.it -- Heiko Herold [EMAIL PROTECTED] [EMAIL PROTECTED] -- +39-041-5907073 / +39-041-5917073 ph -- +39-041-5907472 / +39-041-5917472 fax ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
