No gary, that is not a problem. Both devices can connect properly, and will work
well. What will not work is if an internal user (on the 10.x net) initiates a
connection outbound to the client using the 192 address. If you need this
capability, you must use ip pool.
It is not a problem because the firewall has no interface on the 192 network, nor
does it have a route that forces the connection to remain internal.
I have done the exact same thing to test just such a config.
Regards,
CryptoTech
[EMAIL PROTECTED] wrote:
> Hi, sorry to jump in late.. your reply has got me thinking about a potential
> problem we might have.
>
> scenario:
> office lan = 10.x.x.x , an encryption domain protected by fw-a.
> user 1 lan at home = 192.168.1.0, running SR with hide-NAT behind a legal
> address.
> user 2 lan at home = 192.168.1.0, running SR with hide-NAT behind a legal
> address.
>
> would the 2 different users having the same network at home be a problem since
> their true IP address is revealed to the office network after a decrypt? Lots
> of folks are getting LinkSys routers which all default to the same local
> network.. I don't want to get into managing their home LANs!!!
>
> Regards,
> Gary
>
> |--------+----------------------->
> | | CryptoTech |
> | | <cryptotech@g|
> | | mx.de> |
> | | |
> | | 12/06/2000 |
> | | 07:25 AM |
> | | |
> |--------+----------------------->
> >-------------------------------------------------------------|
> | |
> | To: Idan Dolev <[EMAIL PROTECTED]> |
> | cc: "'Yim Lee'" <[EMAIL PROTECTED]>, "Firewall |
> | (E-mail)" <[EMAIL PROTECTED]>, |
> | "Firewall_Mailing_List (E-mail)" |
> | <[EMAIL PROTECTED]>, (bcc: Gary|
> | Cunninghame/na/Hyperion) |
> | Subject: Re: [fw1-wizards] RE: [FW1] SR behind |
> | NAting device |
> >-------------------------------------------------------------|
>
> No, the default route for the firewall should be the internet router. If you
> have the same remote and local subnet, then you have a routing problem, not a
> firewall problem. There is a roundabout way to get it to work in site to site
> (chkp to chkp - don't know about others, they should work) in a site to site
> method, but the actual endpoints must know about each other, and that causes
> SecuRemote to be a No-Go.
>
> Regards,
> CryptoTech
>
> Idan Dolev wrote:
>
> > so for every seuremote client I should enter a routing ??? and whatabout if
> > its on the same subnet like Yim asked
> >
> > -----Original Message-----
> > From: CryptoTech [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, December 05, 2000 2:46 PM
> > To: Idan Dolev
> > Cc: 'Yim Lee'; Firewall (E-mail); Firewall_Mailing_List (E-mail)
> > Subject: Re: [fw1-wizards] RE: [FW1] SR behind NAting device
> >
> > I would hope not, because that would be incorrect. I have had wonderful
> > experience
> > with UDP encaps and NAT. What I think he is saying is that you will see the
> > clients
> > native ip in the log viewer as opposed to the hidden NATed address.
> >
> > The problem you are having is that firewall still needs routing information
> > to route
> > packets. If firewall A receives a packet from a non-existent network, or
> > >from a
> > network that it cannot find (ie, the internal ip of a NATed connection) it
> > must 1:
> > have a default route pointing to the internet 2: have a route to the
> > internal ip
> > address of the remote side via the external interface.
> >
> > Reason: Traffic passes from remote internal - gets NATed, hits Firewall-A,
> > gets UDP
> > unencapsulated, gets decrypted(log),passes on rule(log), goes to internal
> > dest.
> > return path: from internal dest to the real ip address of the remote device,
> > it
> > should hit the firewall, passes rule acceptance on Firewall-A, (still with
> > remote
> > real addr.)
> > The packet is then passed to the IP forwarding kernel BEFORE IKE and UDP
> > re-encapsulation. Thus the reason for the route requirement.
> >
> > Hope this helps,
> > CryptoTech
> >
> > Idan Dolev wrote:
> >
> > > So are you telling me that SP2 udp_encapulation does not work with NAT ??
> > >
> > > -----Original Message-----
> > > From: Yim Lee [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, November 30, 2000 7:04 PM
> > > To: Idan Dolev; Firewall (E-mail); Firewall_Mailing_List (E-mail)
> > > Subject: [fw1-wizards] RE: [FW1] SR behind NAting device
> > >
> > > I talked with CheckPoint and this is a known problem.
> > > Currently, there is no known fix.
> > >
> > > Yim
> > > --- Idan Dolev <[EMAIL PROTECTED]> wrote:
> > > >
> > > > some additional info :
> > > >
> > > > my network is ;
> > > >
> > > > station A-----firewall A----firewall B------station
> > > > B
> > > >
> > > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B is
> > > > 13.0.0.0.
> > > > I am trying from station B to get to station A.
> > > > Firewall B is hiding my station B ( HIDE NAT )
> > > > When I do site update I can authenticated
> > > > successfully. and I see over in
> > > > firewall A log the ip address of firewall A as the
> > > > resource for the
> > > > connection.
> > > > When I try to connect to station A after the
> > > > authentication I see in
> > > > firewall A log my ORIGINAL IP of my station ?????
> > > > of course when I add a route to firewall A to my
> > > > original ip - everything
> > > > works.......
> > > >
> > > > Is the right behavior ? should I see the original ip
> > > > address of my station
> > > > ???
> > > >
> > > > Has anybody had a good experience with sp2 and udp
> > > > encapsulation ??
> > > >
> > > > Idan
> > > >
> > > > -----Original Message-----
> > > > From: Idan Dolev [mailto:[EMAIL PROTECTED]]
> > > > Sent: Thursday, November 30, 2000 11:39 AM
> > > > To: Firewall_Mailing_List (E-mail)
> > > > Subject: [FW1] SR behind NAting device
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > > Hi guys,
> > > > >
> > > > > Well I am testing out the SR behind natted device
> > > > and it seems not to work
> > > > > for me....
> > > > > I can download the topology just fine, and as far
> > > > as I read I should not
> > > > > make any changes, it should automatically.
> > > > > Any suggestions ? after installing sp2 the
> > > > vpn1_encapsulation is already
> > > > > defined plus the 2746 service. and I checked with
> > > > or without the force
> > > > > udp in the client
> > > > it seems fine with topology but as soon as I try to
> > > > connect I see in the
> > > > firewall log the real invalid clients address.......
> > > >
> > > >
> > > > > Idan
> > > >
> > > >
> > > >
> > >
> > ============================================================================
> > > > ====
> > > > To unsubscribe from this mailing list, please
> > > > see the instructions at
> > > >
> > > > http://www.checkpoint.com/services/mailing.html
> > > >
> > >
> > ============================================================================
> > > > ====
> > > >
> > > >
> > > >
> > >
> > ============================================================================
> > > ====
> > > > To unsubscribe from this mailing list, please
> > > > see the instructions at
> > > >
> > > > http://www.checkpoint.com/services/mailing.html
> > > >
> > >
> > ============================================================================
> > > ====
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Yahoo! Shopping - Thousands of Stores. Millions of Products.
> > > http://shopping.yahoo.com/
> > >
> > > ---------------------------------------------------------------------
> > > This email came from the FireWall-1 Wizards Mailing List
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For more information, email: [EMAIL PROTECTED]
> > >
> > >
> > ============================================================================
> > ====
> > > To unsubscribe from this mailing list, please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > >
> > ============================================================================
> > ====
> >
> > ============================================================================
> > ====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ============================================================================
> > ====
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
