Even behind a linksys it shouldn't work for more than one Dist IP. on
your FW you need UDP500 to be allowed whether you are using NAT-T or not
for IKE. If you enable NAT-T you will need to choose a high UDP port to
use for encapsulation, make sure that the port you chose is open in your
firewall. If you chose not to go with NAT-T you can always assign a
static Nat through your CP policy for every system on your network to an
internet routable IP from your ISP address pool if you have extras. In
that case you will also need to have UDP 500 tcp 50 and 51 ( ah and esp)
protocols to be open.
thanks
Amr
________________________________
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Bergin,
Rob
Sent: Wednesday, August 18, 2004 11:07 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] NAT Traversal and IPSec Pass Through
Hi All,
Nortel says one possible fix is to turn on NAT-Travesal for the
IPSEC
group. This uses a UDP port that you can set to allow VPN
clients
behind a Checkpoint Firewall to work. Is Visitor Mode a part of
the VPN
from Checkpoint?
Thanks,
Rob
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
Ray
Sent: Wednesday, August 18, 2004 9:45 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] NAT Traversal and IPSec Pass Through
Doesn't some version of Nortel have UDP encapsulation? With all
of the
broadband access available from hotels and other facilities,
you're
going to hit this problem a lot. We routinely have to use
Visitor Mode
from major hotel chains because the only traffic they allow out
is 80
and 443.
Ray
>From: Mike Feetham <mike.feetham AT PERCEPTA-CRM DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] NAT Traversal and IPSec Pass Through
>Date: Wed, 18 Aug 2004 09:01:05 -0400
>
>It is not possible to turn on IPSec passthrough on Checkpoint
firewalls
>for hide NATs. If they did, the passthrough would only work
for the
>first IP that used the passthrough (So CP tells me, anyway).
>
>This is why Checkpoint suggests using UDP encapsulation, which
other
>posters have stated is not possible. The other possibility is
to set
>up static NATs for users that require VPN access, but this can
be an
>administrative nightmare, depending on the number of users.
>
>
>Mike F.
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf
Of
>Bergin, Rob
>Sent: Tuesday, August 17, 2004 4:27 PM
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: [FW-1] NAT Traversal and IPSec Pass Through
>
>Hi All,
>
>Anyone working with a Nortel Contivity VPN and Checkpoint NG
AI? We
>put an additional adapter in our Checkpoint and have terminated
a small
>wireless LAN into it. It's been great, users jump on the
wireless, get
>assigned a DHCP IP from a DHCP appliance and then can surf the
web.
>Now the issue is when they try and launch our VPN client, they
could
>not logon. We asked Nortel and they said - NAT Traversal
(NAT-T) -
>because the Checkpoint was NATting the IP address (WIFI LAN is
>172.20.0.0) and the Interface facing the Contivity is
204.238.109.60 in
>order for the VPN to work we have to enable NAT-T.
>
>My question is - at my house, I use a NAT box (Linksys router)
and I
>don't require NAT-T but I think that's because my Linksys
supports
>IPSec Passthrough and what I am wondering is if I can enable
IPSec
>Passthrough on the Checkpoint and/or are there any negative
implications.
>
>Thanks,
>
>Rob
>
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email
to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription
options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email
to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription
options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today -
it's
FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages, send an email
to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription
options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
___________________NOTICE____________________________
This electronic mail transmission contains confidential information intended
only for the person(s) named. Any use, distribution, copying or disclosure by
any other person is strictly prohibited. If you received this transmission in
error, please notify the sender by reply e-mail and then destroy the message.
Opinions, conclusions, and other information in this message that do not relate
to the official business of Bain & Company shall be understood to be neither
given nor endorsed by the Company. When addressed to Bain clients, any
information contained in this e-mail is subject to the terms and conditions in
the governing client contract.
_______________________________________
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
