Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Problem to establish VPN connection (NAT pb...?)

from Shiroma Dassanayake [Permanent Link]
Subject: Re: [FW-1] Problem to establish VPN connection (NAT pb...?)
From: Shiroma Dassanayake <nilshiro2000 AT YAHOO DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Wed, 6 Jun 2007 21:40:53 -0700 
Hi
   
  According to your mail, the secure client enters 81.1.1.1 as the host IP of 
the site that they are connecting to. But this Ip translates to the external 
interface IP of your firewall. Here is something you could try that might work 
- NAT your firewall host IP. Then enter this NAT'd IP as the site IP in 
secureclient. You would have to change the link selection to match this as well.
   
  Regards
  shiroma

Joel Guillerm <joel.guillerm AT FR.IBM DOT COM> wrote:
  Hi,
here is an example to avoid confusion :
1) the Secureclient tries to connect to the Public IP address of the 
Firewall which is 81.1.1.1
2) the NAT device (Radware LinkProof) located between the Firewall and 
Internet, translates this address 81.1.1.1 to the real private address of 
the Firewall external interface which is 10.1.1.1
and, we did the test by coding the the "Statically NATted IP" option in 
the Link selection section of the VPN properties of the Cluster to the 
value 81.1.1.1

thanks for any feedback

--------------------------------------------------------------------------------------
Joel GUILLERM
Architecte Réseaux/Sécurité 
CISCO Certified (CCDP)

IBM Global Services - ITS
Agence IBM NANTES

EMAIL : joel.guillerm AT fr.ibm DOT com
TEL : +33.2.4041.4638 (int. : 874638)
Mobile : +33.6.8503.3184
FAX : +33.2.4041.4638



Shiroma Dassanayake 
Sent by: Mailing list for discussion of Firewall-1 

06/06/2007 12:20
Please respond to
Mailing list for discussion of Firewall-1 



To
FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
cc

Subject
Re: [FW-1] Problem to establish VPN connection (NAT pb...?)






Hi

What is the IP that the secureclient enters when creating the site (when 
connecting from the internet)? Is it the statically NAT'd IP of the 
cluster or is it the statically NAT'd IP of the firewall interface that 
connects to your ISP???

Regards
Shiroma


Joel Guillerm wrote:
Checkpoint R62, 2 Nokias in a Cluster , SecureClient R56

VPN tunnels can be established from the inside network, but we are unable 
to establish it from Internet;
the reason might be that the Firewall is hidden behind a NAT device 
(Redware machines) ;

We have tried to code the "Statically NATted IP" option in the Link 
selection section of the VPN properties of the Cluster but nothing changed
the UDP NAT Traversal option is also checked; and IKE over TCP has also 
been tested (on both sides)
but it seems that we don't even reach this phase since the default 2746 
UDP port never appears in Sniffer traces (taken before and after the NAT 
device;

NAT traversal is generally used in case the client PC real address is 
hidden behind a NAT device before reaching the VPN Firewall,
but here, it is the reverse since the Firewall real address is a private 
one and so it is hidden from Internet ;
Is this configuration supported ?

We have the same topology with other types Firewalls and don't have any 
problem with NAT 
As far as I understand, this NAT traversal option only concerns IPSEC 
encapsulation inside UDP layer to allow NAT pass-thru ;
the problem here seems to occur during ISAKMP phase 

The scenario, at time of test, is as follows, from the user point of view 
:
a) after entering the password on the initial Connect screen and clicking 
the Connect button, a "Verify Certificate" popup is displayed : it is the 
same kind of screen shown when creating the site itself
b) after clicking OK on this popup, the password is prompted again with 
the same kind of screen as the initial Connect screen, with a Cancel = xxx 


button and a Connect button;
c) after clicking the Connect button, the screen disappears, and nothing 
else is visible for 1 mn ; 
d) after that, a "VPN Connection failed" popup appears next to the 
SecureClient icon on the Quick Launch part of the screen 

There are visble messages about this VPN test in the SmarTracker log, but 
none seems an error message 

Any help welcomed

thanks in advance

--------------------------------------------------------------------------------------
Joel 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================



---------------------------------
Expecting? Get great news right away with email Auto-Check.
Try the Yahoo! Mail Beta.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


       
---------------------------------
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, 
photos & more. 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] port redirects, Ted Serreyn
Next by Date:  [FW-1] New module not forwarding logs to Log server, Bhavin Gandhi
Previous by Thread:  Re: [FW-1] Problem to establish VPN connection (NAT pb...?), Joel Guillerm
Next by Thread:  [FW-1] port redirects, r locus
Indexes:  [Date] [Thread] [Top] [All Lists]