Should the Edge X device be able to NAT nodes from LAN for connections going
through an enterprise vpn ?
Edge X, fw 6.0.74, connected to a NGAIR55 management station with libsw
6.0.81.
Lan network is 10/8 (customer, don't ask), DMZ port is 172.19.29/24. Local
vpn endpoint are a couple of NGAIR55 nokia modules running vrrp. Local
network is 172.18.1/24.
The management console has defined:
- the local nokia cluster object, encryption domain manual, contains
172.18/16 and other networks (no 10 network)
- the edge object, encryption domain manual, contains 172.19.29/24
- a nat rule 10/8->172.18.1/24 port any, translate to
172.19.29.200(hide)->original port original, install on "the Edge
configuration container"
- relevant security rules permitting traffic, install on "the nokia cluster
object"
When trying to connect from a node on the physical dmz port network (real IP
172.19.29.x) tunnel comes up normally, all ok.
When trying to connect from a LAN 10/8 node to a 172.18.1 node (source
should be hide-natted to 172.19.29.200) trackers has these logs:
- Ike Main mode completition
- Ike quick mode completition for 172.28/16 and <edge public ip address>
- Ike quick mode completition for <edge public ip address> and 10/8 (which
is not mentioned in any encryption domain)
- Ike quick mode completition for 172.18/16 and 10/8
- drop <10 node ip>-><172.18 ip> "encryption failure: Cannot identify peer
for encrypted connection (VPN Error code 04)"
but no quick mode for 172.19/29 and 172.18/16 (and the connection fails).
"info nat" on Edge does not show any entry.
I also tried to nat the lan nodes on a network different than the dmz port,
(with correct encryption domains), doesn't work either.
I also tried nat 10/8->any (always nat) and so on, never seemd to be used,
as if nat is ignored if the traffic goes into a tunnel.
Is there any solution to this, am I doing something wrong ? Performing nat
on the central endpoint would create loads of conflict due to that 10/8
network.
Thanks
Heiko
--
-- PREVINET S.p.A. www.previnet.it
-- Heiko Herold Heiko.Herold AT previnet DOT it Sistemisti AT previnet DOT it
-- +39-041-5907073 / +39-041-5917073 ph
-- +39-041-5907472 / +39-041-5917472 fax
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
