[FW-1] NAT in VPN

Subject:	[FW-1] NAT in VPN
From:	"Bachmann, Olaf" <Olaf.Bachmann AT ARXES-BERLIN DOT DE>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 19 Jun 2006 16:11:26 +0200
Hi. 
 
Who can continue to help me in a NAT/VPN problem.   I have a central and two 
external sites.  
The central Site IP=192.168.190.0/24.   Site A IP=192.168.191.0/24.   Site B 
IP=192.169.192.0/24.   
The two sites are full independently and have only a VPN connection to the 
central site. So I setup two star VPN-Communities.  The VPN between the central 
and external sites works perfect. 
But now, one system from site A (192.168.191.10) must have access on a system 
on site B (192.168.192.10). For this case I'd create following NAT rule (no 
routing through the central site is possible):  
Orig.Src=192.168.191.10 
Orig.Dst=192.168.190.10 
Service=any  
Trans.Src=192.168.190.10 
Trans.Dst=192.168.192.10 
Service=original    
The central firewall logfile shows incoming encrypted traffic form site A and 
outgoing encrypted traffic to site B but no traffic will received by the 
gateway on site B. When I read the fw monitor log I think there is outgoing 
encrypted traffic to Site B. Or ??  Can some on help me? 
 
Best regatds.
 
Olaf
 
in chain (14):
 0: -7ffffff0 (9ab47014) (00000001) tcpt inbound (tcp_tun)
 1: -7f800000 (99d58084) (ffffffff) IP Options Strip (ipopt_strip)
 2: - 2000000 (9ab31cd0) (00000003) vpn decrypt (vpn)
 3: - 1fffff6 (99d59934) (00000001) Stateless verifications (asm)
 4: - 1fffff2 (9ab5a6fc) (00000003) vpn tagging inbound (tagging)
 5: - 1fffff0 (9ab312e0) (00000003) vpn decrypt verify (vpn_ver)
 6: - 1000000 (99d998b4) (00000003) SecureXL conn sync (secxl_sync)
 7:         0 (99ced528) (00000001) fw VM inbound  (fw)
 8:         1 (99d668f0) (00000002) wire VM inbound  (wire_vm)
 9:   2000000 (9ab345ec) (00000003) vpn policy inbound (vpn_pol)
 10:  10000000 (99d99dfc) (00000003) SecureXL inbound (secxl)
 11:  7f600000 (99d4e564) (00000001) fw SCV inbound (scv)
 12:  7f750000 (99e7f09c) (00000001) TCP streaming (in) (cpas)
 13:  7f800000 (99d58324) (ffffffff) IP Options Restore (ipopt_res)
out chain (13):
 0: -7f800000 (99d58084) (ffffffff) IP Options Strip (ipopt_strip)
 1: - 1ffffff (9ab3089c) (00000003) vpn nat outbound (vpn_nat)
 2: - 1fffff0 (99e7f210) (00000001) TCP streaming (out) (cpas)
 3: - 1ff0000 (9ab5a6fc) (00000003) vpn tagging outbound (tagging)
 4: - 1f00000 (99d59934) (00000001) Stateless verifications (asm)
 5:         0 (99ced528) (00000001) fw VM outbound (fw)
 6:         1 (99d668f0) (00000002) wire VM outbound  (wire_vm)
 7:   2000000 (9ab33ca4) (00000003) vpn policy outbound (vpn_pol)
 8:  10000000 (99d99dfc) (00000003) SecureXL outbound (secxl)
 9:  20000000 (9ab32d04) (00000003) vpn encrypt (vpn)
 10:  60000000 (9ab46944) (00000001) tcpt outbound (tcp_tun)
 11:  7f700000 (99e7f450) (00000001) TCP streaming post VM (cpas)
 12:  7f800000 (99d58324) (ffffffff) IP Options Restore (ipopt_res)
eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
len=52 id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33186
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
len=52 id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33187
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
len=52 id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33188
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
len=52 id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33189
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
len=52 id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
len=52 id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
id=33190
TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
eth1c0:i4 (vpn tagging inbound)[40]: 192.168.191.10 -> 192.168.190.10 (TCP) 
len=40 id=1
TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000
eth1c0:i24 (Chain End)[40]: 192.168.191.10 -> 192.168.190.10 (TCP) len=40 id=1
TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000
eth1c0:i8 (wire VM inbound )[40]: 192.168.191.10 -> 192.168.190.10 (TCP) len=40 
id=1
TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000
eth1c0:i15 (Chain End)[40]: 192.168.191.10 -> 192.168.190.10 (TCP) len=40 id=1
TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000
eth1c0:i1 (IP Options Strip)[40]: 192.168.191.10 -> 192.168.190.10 (TCP) len=40 
id=1
TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000 <mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM> 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] NAT in VPN, Bachmann, Olaf <= Re: [FW-1] NAT in VPN, Alvaro Gastambide Re: [FW-1] NAT in VPN, chkp tech [FW-1] AW: [FW-1] NAT in VPN, Bachmann, Olaf Re: [FW-1] AW: [FW-1] NAT in VPN, Alvaro Gastambide
Previous by Date:	Re: [FW-1] VMWare..., sin
Next by Date:	Re: [FW-1] NAT in VPN, Alvaro Gastambide
Previous by Thread:	[FW-1], Kelvin Brace
Next by Thread:	Re: [FW-1] NAT in VPN, Alvaro Gastambide
Indexes:	[Date] [Thread] [Top] [All Lists]