It's not a NAT transversal issue. The problem is that the firewall is not
Hide NAT'ing the ESP packets. So, the packets are leaving with 10.x.x.x
addresses rather than the public address.
And, yes, the Netscreen does have NAT transversal capabilities... but they
are enabled on the Netscreen gateway and not the client.
Dan
From: Will Zegeer [mailto:will AT EPLUS DOT COM]
Dan, I'm not sure about the netscreen client but Checkpoint
securemote/client has a feature to resolve this called
fw1_UDP_encapsulation. Basically it encapsulates the esp (ip 50) packets
inside udp 2746 packets. I would check to see if the netscreen client has a
similar feature like nat traversal.
> I have a user located behind my NG-AI firewall trying to use
> NetScreen-Remote software to connect to a remote gateway. The initial
> negotiations work fine. However, all ESP traffic from the
> internal host are
> not being NAT'd as they leave my firewall. I found an option
> in "Global
> Properties > VPN-1 Net" concerning NAT and encrypted
> connections. Changing
> this option has no effect on the outbound traffic. A manual
> NAT rule also
> had no effect.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
