05-07-2001 04:54 AM - edited 02-21-2020 11:19 AM
Hi,
We are trying to establish an ipsec tunnel between vpn 3000 and it's client which is behind a checkpoint. Checkpoint is making port address translation. Ipsec through nat is configured on the concentrator( udp port 10000). Though we configured to permit the firewall to pass any to any traffic we could not establish the connection. Does anyone have experience tunneling ipsec traffic through FW-1?
(I personally have configured and seen 2 clients (behind a cisco router making pat)that have established ipsec tunnels at the same time with the concentrator , so i don't think that the point is pat on the checkpoint)
i would appreciate any help, thanks.
05-10-2001 01:16 PM
IPSec doesnt work with PAT or NAT overload (Cisco, Checkpoint or any other product). You must have one-to-one translations.
05-18-2001 01:01 AM
Actually it worked! we could establish ipsec tunnels with more than 1 clients behind the checkpoint. I don't know what your reference point is in saying that it does not work, but actually what NAT transparency does is this. It uses UDP to transport ESP packets(prot 50) so that the box which makes nat or pat makes a translation and the box at the other end of the tunnel(conc. 3005 in our case) can take the packets sent to it's udp port. Ýf Nat Transparency was not used it would drop the packet which was targeted to one of it's ports which it normally filters.
The reason for it's not working at the beginning was a misunderstanding because i was not the one conf. checkpoint.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide