[fw-wiz] Checkpoint and Linksys WRT54G/Double NAT



Question for you checkpoint gurus out there:
I have a double natted network at home, and can't access a checkpoint fw via their vpn sw.
My network looks like this:

Internet -> linksys wrt51ab -> linksys wrt54g -> internal clients (vpn client)
DMZ BACK Basic WinXPPro
stock firmware openwrt - IPTables
PublicIP %-% 192.168.1.1/28 192.168.1.14/28 %-% 192.168.2.1/24 192.168.2.6/24

When I plug directly into DMZ, the vpn has no problem connecting. If I try to access from the BACK network however, it always times out.
I have had no issues with cisco or att vpns (have had to use both), port 500/udp is good, AH/ESP traffic are all are good on the BACK router. Checkpoint requires special ports, as I could gather from googling, I opened those up (256-257 /tcp I believe) on BACK, still had no effect. Tried opening 4500/tcp & udp to no avail.

I know I am doing something wrong, but access through double nat certainly must be supported...
Any help is greatly appreciated as I would like to get my wife off of this long wire we have stretching to the office ;-) .

Thanks,

Michael Brown

----- Original Message ----
From: Paul Melson <pmelson@xxxxxxxxx>
To: Firewall Wizards Security Mailing List <firewall-wizards@xxxxxxxxxxxxxxxxxxxxx>
Sent: Thursday, January 31, 2008 4:57:06 AM
Subject: Re: [fw-wiz] Checkpoint and RTSP NAT


On Jan 30, 2008 12:35 PM, Pedro Henrique Morsch Mazzoni
<phmazzoni@xxxxxxxxx> wrote:
Client to server Transport field of RTSP packet: Transport:

RTP/AVP;unicast;client_port=6970-6971;mode=play,RTP/AVP/TCP;unicast;mode=play
Server response to client: Transport:

RTP/AVP;unicast;source=72.14.209.177;client_port=59598-59599;server_port=10580-10581;ssrc=6DF21148

Did anyone knows if Checkpoint NGX can be awareness of RTSP when
using NAT,
and change the payload of the response packet ?

Check Point has no problem with RTSP since the pre-NG days. Your
problem is that the firewall isn't looking for RTSP on those ports
(10580-10581). By default, tcp/554 is the port for RTSP servers.

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • PIX to checkpoint VPN
    ... I have a site-to-site VPN between a PIX and a checkpoint firewall, ... I have one network on the checkpoint object for the VPN encryption domain, and on network for the PIX object as the destination network. ...
    (comp.security.firewalls)
  • VPN3005 to Checkpoint
    ... I am connected thru a tunnel from my vpn 3005 and Checkpoint 4.1. ... NAT my local network because of the overlapping ranges. ...
    (comp.security.firewalls)
  • Re: Nokia IP330 / Checkpoing NG
    ... > have any network related performance problems to the monitoring server. ... > Switch, Switch to Checkpoint, Checkpoint to router or anywhere else on ...
    (comp.security.firewalls)
  • Nokia IP330 / Checkpoing NG
    ... have any network related performance problems to the monitoring server. ... Switch, Switch to Checkpoint, Checkpoint to router or anywhere else on ...
    (comp.security.firewalls)
  • Re: How to Put Checkpoint SecuRemote Behind NAT?
    ... the same sentence as home user? ... As far as I am aware, Checkpoint FW-1 will *not* bind to a private IP ... NAT does *not* provide any kind of protection other than obfuscation. ... In the case of our network, ...
    (comp.security.firewalls)