Re: [FW-1] VPN Client behind Check Point NG with AI

Subject:	Re: [FW-1] VPN Client behind Check Point NG with AI
From:	Will Zegeer <will AT EPLUS DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Thu, 26 Feb 2004 12:53:08 -0500

I would have to see the output of an fw monitor capture with the -m iIoO
options set (not tcpdump/windump/snoop)...but if there is a way to
encapsulate the esp packets I would try it.


Will Zegeer, CISSP, CHSP

> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On Behalf Of Davis,
> Daniel
> Sent: Thursday, February 26, 2004 11:51 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] VPN Client behind Check Point NG with AI
>
>
> It's not a NAT transversal issue. The problem is that the
> firewall is not
> Hide NAT'ing the ESP packets. So, the packets are leaving
> with 10.x.x.x
> addresses rather than the public address.
>
> And, yes, the Netscreen does have NAT transversal
> capabilities... but they
> are enabled on the Netscreen gateway and not the client.
>
> Dan
>
>
> From: Will Zegeer [mailto:will AT EPLUS DOT COM]
>
> Dan, I'm not sure about the netscreen client but Checkpoint
> securemote/client has a feature to resolve this called
> fw1_UDP_encapsulation. Basically it encapsulates the esp (ip
> 50) packets
> inside udp 2746 packets. I would check to see if the
> netscreen client has a
> similar feature like nat traversal.
>
> > I have a user located behind my NG-AI firewall trying to use
> > NetScreen-Remote software to connect to a remote gateway.
> The initial
> > negotiations work fine. However, all ESP traffic from the
> > internal host are
> > not being NAT'd as they leave my firewall. I found an option
> > in "Global
> > Properties > VPN-1 Net" concerning NAT and encrypted
> > connections. Changing
> > this option has no effect on the outbound traffic. A manual
> > NAT rule also
> > had no effect.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] VPN Client behind Check Point NG with AI, Davis, Daniel Re: [FW-1] VPN Client behind Check Point NG with AI, Will Zegeer Re: [FW-1] VPN Client behind Check Point NG with AI, Davis, Daniel Re: [FW-1] VPN Client behind Check Point NG with AI, Crist Clark Re: [FW-1] VPN Client behind Check Point NG with AI, Will Zegeer <=

Previous by Date:	[FW-1] How to have multiple masters/loggers for one module ?, Emmanuel Bailleul
Next by Date:	Re: [FW-1] VPN Client behind Check Point NG with AI, Crist Clark
Previous by Thread:	Re: [FW-1] VPN Client behind Check Point NG with AI, Crist Clark
Next by Thread:	[FW-1] Luna VPN accelerator cards, Pendergrass, Greg
Indexes:	[Date] [Thread] [Top] [All Lists]