That is correct. Since the true negotiation is with the internal ip address, that
is what the internal devices will see.
<UDP header<ESP Header<Original Packet>>>
VPN-1 strips the udp header, then processes the esp packet, leaving the original
packet from the client, including his ip address.
I have not had any problems with this config with or without Pools. Both have
worked fine for me.
I have done this on an NT server.
CryptoTech
Paul Keefer wrote:
> Does anyone have any experience with getting Secure Remote
> behind a NAT gateway working with a Checkpoint firewall that
> is doing IP Pool NAT? With no NAT on the client side,
> everything works great. With NAT on the client side, the
> address send to the end destination from the firewall comes
> out as the original IP address of the Secure Remote client.
> I'm using hybrid mode IKE with all the bells and whistles,
> and the modifications to make secure remote work with
> NAT... Here is a picture:
>
> OS is solaris 2.6, checkpoint version 4.1 SP3.
>
> Secure Remote Client (latest one):
> 10.10.10.2
> NAT'ed to:
> 50.50.50.2
>
> Firewall at:
> 40.40.40.1
> pool address is:
> 20.20.20.0/24
>
> Server A is:
> 30.30.30.1
>
> The way I understand things, the Secure Remote client should
> appear to Server A as 20.20.20.x. What I see when doing a
> packet sniff is 10.10.10.2, which is wierd (it still works,
> but I don't want Server A to see the client's real
> address). If the client is not NAT'ed, I see 20.20.20.x
> come from the firewall destined for Server A as I would
> expect, and it works.
>
> --
> Paul Keefer AMI-300B/NISC
> LAN/WAN Administrator 405-954-6029
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
S/MIME Cryptographic Signature
