Corrado, Yes, now that "sounds very familiar" to me. After fighting that NAT-Transversal issue long enough, I had to finally force either A Public IP address on WAN side or be very careful that the WAN IP address net is not used anywhere (I mean anywhere in the entire network including your VPN sites). Having over 100+ Edge Devices deployed, the second solution was not very manageable especially in a DHCP environment. Now all Edge devices have to have a Public IP address on the WAN side or they will not being deployed.
While some of our Edges boxes were being deployed in homes or small office networks, we will run into the issue where on the WAN side of the Checkpoint Edge will get an IP address of 192.168.1.x (which is the default of many small router devices like LINKSYS). As soon as 2 Checkpoint Edge devices, in 2 different locations will start getting the same IP address on WAN side, things will fall apart and sometime neither of the 2 boxes will work anymore. Either, Checkpoint needs to make some REAL IMPROVEMENT in their NAT-T on the EDGE devices... because using 2 VPN clients in office mode (or SecureClients with NAT-T enabled) in the same situation work fine and we do not have that problem. Or fight with upstream router/NAT d vendor and their way of handling NAT-T...which is a losing battle from the start. Sorry, I cannot offer a better solution or hopefully someone else may have run into the same issue and have some input too.... Regard -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Corrado Motta Sent: Friday, June 27, 2008 2:34 AM To: [email protected] Subject: Re: [FW-1] VPN vcentral managed between NGX r65 and X-Edge 7.5.51 I have 3 similar X-Edge, 2 without NAT traversal ( that work ) and 1 behind a NAT-device in DHCP setting ( that give me problems). On Thu, Jun 26, 2008 at 5:04 PM, Previtera, Sal <[EMAIL PROTECTED]> wrote: > I have a similar setup in R65 and the Edge 6.x and working great but our > VPN community is a STAR not meshed...and all NAT is disabled within the > Edge community. > It sounds like a routing issue...(with a possible NAT somewhere). Hi Sal, I have 3 identically X-Edge, 2 without NAT traversal ( that work ) and 1 behind a NAT-device in DHCP setting ( that give me problems), with the same ACL- NAT rules and they are using the same "routing design" > I would look at getting additional information on the UTM gateway logs > by using query properties...before start doing debugs. Thank for sour suggestions I will re-check my NAT - rules Corrado Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
