SecureRemote (Nat problem ?)

[IH8Puters]

I have the SecureRemote VPN working from an ISP dialup connection but from a home/office DSL connection it doesn't work completely.

Adapters:
ext: 66.xxx.xxx.xxx
int1: 192.168.100.0/24
int2: 172.16.31.0/24
int3: 10.0.0.0/16

home/office client 192.168.1.100

I can login fine, update site, etc but very little else. Trying VNC to a systems on the 10.0.0.0 network I actually get a login, enter password it opens but screen data never comes through. Network neighborhood not seeing the domains or windows boxes.

Same setup/user dialed in directly to ISP works.

I remember seeing something somewhere about natted addresses on client side but I can't find it again )-:

If anyway has an idea please let me know, thanks a lot !

 

[IH8Puters]

Interesting subnote that has me baffled, I can also map a drive (sort of). I try a map to \\pcname\c$, (on the internal 10.0.0.0 net, finds it I think because the dns server will forward to wins) asks me for a user/password, I enter it and the mapping appears in "My Computer" but I can't open it, says network no longer accessable and the mapping disappears.

Just thought I'd through this in maybe it would click with someone.

Thanks

 

[IH8Puters]

Here's the problem:

[mypc-192.168.1.100 dhcp from Linksys]--->[Linksys wireless hub - 10.222.xxx.xxx from isp]---->[DSL ISP natted to 216.xxx.xxx.xxx]--->[Internet]--->[CPfw 66.xxx.xxx.xxx]--->[InternalLan 10.0.0.xxx "hide nat behind interface IP"]

Kind of works, tries to map drives, asks for password, authenticates, can't access the drive though or VNC finds machine, authenticates, won't send screen data and eventually times out.

If I enter bad passwords, etc it tells me i did, it is communicating to a point. Seems to me it's way beyond the TCP or IP layers and should be working if it will do application authentication so I'm at a total loss for ideas. Perhaps its the messages being originated from the firewall side after connecting ?

If I take the network apart on the remote end:

[mypc 10.222.xxx.xxx from isp]--->[DSL natted to 216.xxx.xxx.xxx]--->[Internet]--->[fw 66.xxx.xxx.xxx]--->[Internal Lan 10.0.0.xxx "hide nat behind interface IP"]

This works great !

Can the CheckPoint figure out the extra nat layers, am I missing something really important or am I wasting my time and money ??

Seems like this would be pretty common today with DSL, Cable modems and small home networks.

Thanks in advance.

 

[syn666]

We have a user with the same problem:
[laptop - 192.168.0.2]--internal private network-->[Dlink dsl router 203.*.*.* public address] -- internet--->[Firewall]

I've been told to try "force UDP encapsulation" on the client end.... still didn't work.

The user authenticates correctly, but they are unable to see anything past the firewall after that.

When looking at the firewall logs, it says the source address is 192.168.0.2, and not the NATed address on the DSL router.

I'm having problems trying to get this going as the user is in another state, and i cant trouble shoot it.

I would love to know what the problem is.

 

[CCSE007]

Do you think this happening because of "Hide behind Nat" as its default settings of checkpoint?

I would experiment using Static Nat and then try it...though never tried it but I think this might help or atleast help in trying something different...

 

[IH8Puters]

I see the same thing in my logs, the ip address is that of the address linksys assigned via DHCP to my home pc. I haven't tried the Checkpoint NAT settings other than for the actually operation of our internal systems.

I did tried some IP address pooling but what I saw was it pooling the address to the 192.198.x.x address, still wrong.

I found some info on

http://www.phoneboy.com

refering to PPPoE (a setting I remember seeing on the linksys but no idea what it was set to) and several other articals although nothing specific to the Linksys. It would appear it may have something to do with the way IPSec encapsulates and then the linksys adds its own NATing which is not what fw1 wants. I believe there where some IPSec setting on the Linksys too I need to look at/try.

Seems to be a lot of FW-1 knowledge on phoneboy so I'm going to play with it tonight when I'm home to see if I can get somewhere. I'll certainly post something here if i figure it out.

Still baffles me that it "kind of" works.

 

[syn666]

It does seem puzzling why it ‘sort of’ works.

I’ve been checking the FW-1 mailing list for this type problem (a client behind a NAT device), and everyone seems to say that enabling UDP encapsulation on the client will fix the problem….. It didn’t work for me

Please let me know if you have any luck

 

[IH8Puters]

We installed ipso 3.7 which seems to have helped. Currently it's working for the most part although it pretty slow. I had to put this on the back burner for awhile so I need to get back into it.