Re: [FW-1] NAT in VPN

Subject:	Re: [FW-1] NAT in VPN
From:	Alvaro Gastambide <agastambide AT SADVISOR DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 19 Jun 2006 12:29:16 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You have to use the one communitie for the the vpn's to both sites and 
configure VPN-Routing.
The firewall doesn't know how route the paquet.

Bye



Bachmann, Olaf wrote:
> Hi. 
>  
> Who can continue to help me in a NAT/VPN problem.   I have a central and two 
> external sites.  
> The central Site IP=192.168.190.0/24.   Site A IP=192.168.191.0/24.   Site B 
> IP=192.169.192.0/24.   
> The two sites are full independently and have only a VPN connection to the 
> central site. So I setup two star VPN-Communities.  The VPN between the 
> central and external sites works perfect. 
> But now, one system from site A (192.168.191.10) must have access on a system 
> on site B (192.168.192.10). For this case I'd create following NAT rule (no 
> routing through the central site is possible):  
> Orig.Src=192.168.191.10 
> Orig.Dst=192.168.190.10 
> Service=any  
> Trans.Src=192.168.190.10 
> Trans.Dst=192.168.192.10 
> Service=original    
> The central firewall logfile shows incoming encrypted traffic form site A and 
> outgoing encrypted traffic to site B but no traffic will received by the 
> gateway on site B. When I read the fw monitor log I think there is outgoing 
> encrypted traffic to Site B. Or ??  Can some on help me? 
>  
> Best regatds.
>  
> Olaf
>  
> in chain (14):
>  0: -7ffffff0 (9ab47014) (00000001) tcpt inbound (tcp_tun)
>  1: -7f800000 (99d58084) (ffffffff) IP Options Strip (ipopt_strip)
>  2: - 2000000 (9ab31cd0) (00000003) vpn decrypt (vpn)
>  3: - 1fffff6 (99d59934) (00000001) Stateless verifications (asm)
>  4: - 1fffff2 (9ab5a6fc) (00000003) vpn tagging inbound (tagging)
>  5: - 1fffff0 (9ab312e0) (00000003) vpn decrypt verify (vpn_ver)
>  6: - 1000000 (99d998b4) (00000003) SecureXL conn sync (secxl_sync)
>  7:         0 (99ced528) (00000001) fw VM inbound  (fw)
>  8:         1 (99d668f0) (00000002) wire VM inbound  (wire_vm)
>  9:   2000000 (9ab345ec) (00000003) vpn policy inbound (vpn_pol)
>  10:  10000000 (99d99dfc) (00000003) SecureXL inbound (secxl)
>  11:  7f600000 (99d4e564) (00000001) fw SCV inbound (scv)
>  12:  7f750000 (99e7f09c) (00000001) TCP streaming (in) (cpas)
>  13:  7f800000 (99d58324) (ffffffff) IP Options Restore (ipopt_res)
> out chain (13):
>  0: -7f800000 (99d58084) (ffffffff) IP Options Strip (ipopt_strip)
>  1: - 1ffffff (9ab3089c) (00000003) vpn nat outbound (vpn_nat)
>  2: - 1fffff0 (99e7f210) (00000001) TCP streaming (out) (cpas)
>  3: - 1ff0000 (9ab5a6fc) (00000003) vpn tagging outbound (tagging)
>  4: - 1f00000 (99d59934) (00000001) Stateless verifications (asm)
>  5:         0 (99ced528) (00000001) fw VM outbound (fw)
>  6:         1 (99d668f0) (00000002) wire VM outbound  (wire_vm)
>  7:   2000000 (9ab33ca4) (00000003) vpn policy outbound (vpn_pol)
>  8:  10000000 (99d99dfc) (00000003) SecureXL outbound (secxl)
>  9:  20000000 (9ab32d04) (00000003) vpn encrypt (vpn)
>  10:  60000000 (9ab46944) (00000001) tcpt outbound (tcp_tun)
>  11:  7f700000 (99e7f450) (00000001) TCP streaming post VM (cpas)
>  12:  7f800000 (99d58324) (ffffffff) IP Options Restore (ipopt_res)
> eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33186
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33187
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33188
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33189
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i4 (vpn tagging inbound)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i24 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i8 (wire VM inbound )[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i15 (Chain End)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) len=52 
> id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i1 (IP Options Strip)[52]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=52 id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O23 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O10 (tcpt outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O14 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O7 (vpn policy outbound)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O6 (wire VM outbound )[52]: 192.168.190.10 -> 192.168.192.10 (TCP) 
> len=52 id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O30 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O13 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:O254 (Chain End)[52]: 192.168.190.10 -> 192.168.192.10 (TCP) len=52 
> id=33190
> TCP: 2955 -> 3000 .S.... seq=478ced82 ack=00000000
> eth1c0:i4 (vpn tagging inbound)[40]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=40 id=1
> TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000
> eth1c0:i24 (Chain End)[40]: 192.168.191.10 -> 192.168.190.10 (TCP) len=40 id=1
> TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000
> eth1c0:i8 (wire VM inbound )[40]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=40 id=1
> TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000
> eth1c0:i15 (Chain End)[40]: 192.168.191.10 -> 192.168.190.10 (TCP) len=40 id=1
> TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000
> eth1c0:i1 (IP Options Strip)[40]: 192.168.191.10 -> 192.168.190.10 (TCP) 
> len=40 id=1
> TCP: 2955 -> 3000 ..R.A. seq=478ced83 ack=00000000 <mailto:FW-1-MAILINGLIST 
> AT AMADEUS.US.CHECKPOINT DOT COM> 
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>
>   

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRJbCzMXBZiD6GXNyAQhcwAf+P88pHTpjz+nLD/oT6qHXE/YGDTIIowpJ
UGDTIvAUv/gmtdIUUNDmZYEZfSCAUdPdrfUNkLkxt+0u9lLtE2WGeSkPH606B0HB
QpA+E5okS2zVlGVZr0Sy8Sux6eWIPbHkMKPQQKma4ndQZbyMKagEhrHLOgHKr5kD
RV7Yc/6g4SxpXHmMI9886m4d/HBoNydE79uD80nQLvOnb78b/Ue+RVx3W+0F6OI2
vfIYSJyM57XndX92jKRgEDtOiV9VpdMWcNQQ2GV082dRD6rl9cct8aVys2FBCz7J
K3OLCk7xoHBjWxzgXOOLjqng1hp2Ef1aGJRUhO5Oh/LZH3V4WxKH0A==
=ZMtc
-----END PGP SIGNATURE-----

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] NAT in VPN, Bachmann, Olaf Re: [FW-1] NAT in VPN, Alvaro Gastambide <= Re: [FW-1] NAT in VPN, chkp tech [FW-1] AW: [FW-1] NAT in VPN, Bachmann, Olaf Re: [FW-1] AW: [FW-1] NAT in VPN, Alvaro Gastambide
Previous by Date:	[FW-1] NAT in VPN, Bachmann, Olaf
Next by Date:	[FW-1] ClusterXL/Catalyst 6500 problems, Suresh Rajagopalan
Previous by Thread:	[FW-1] NAT in VPN, Bachmann, Olaf
Next by Thread:	Re: [FW-1] NAT in VPN, chkp tech
Indexes:	[Date] [Thread] [Top] [All Lists]