Re: How to Put Checkpoint SecuRemote Behind NAT?

From: CHANGE username to just westes (DELETE_westes@uscsw.com)
Date: 02/15/02 

From: "CHANGE username to just westes" <DELETE_westes@uscsw.com>
Date: Fri, 15 Feb 2002 06:14:30 GMT

The business location is protected by a Firewall-1 installation with a
25-node license. There are far fewer than 25 nodes behind that firewall
that need to be protected by it.

The home location is a user with one home PC and a simple NAT in front of
that one home PC.

The user at the home location needs to login to a machine at work, and for
many reasons beyond the scope of what I want to discuss here, we would like
to use SecuRemote as a way to authenticate and encrypt that user's
connection to any node behind the firewall.

There was never any statement that Firewall-1 would be installed at a home. 

--
Will

NOTE:   To reply, CHANGE the username to westes AT uscsw.com

"jfb2908" <jfb2908@hottmail.com> wrote in message
news:3c6b8fa7$0$8511$ed9e5944@reading.news.pipex.net...
> PMFJI.... you're talking about a product with a twenty five user licence
in
> the same sentence as home user ?
>
> As far as I am aware, Checkpoint FW-1 will *not* bind to a private IP
> address as defined in the RFC for private address spaces.
>
> If you want to use a work machine from home, get your ISP to provide a
fixed
> real IP address and use a VPN.
>
> NAT does *not* provide any kind of protection other than obfuscation.
>
>
> "CHANGE username to just westes" <DELETE_westes@uscsw.com> wrote in
message
> news:xUJa8.2249$Aw2.176677@bin7.nnrp.aus1.giganews.com...
> > An NAT box on a home network is the most basic kind of protection, and
by
> > far the most commonly employed.   How can you say that isn't common on a
> > home user's machine?   Does Checkpoint really expect home users to put
> their
> > work machines right on the Internet without any form of firewall or
proxy
> > protection?   That's a pretty bizarre message coming from a company
whose
> > whole mission is to secure networks!
> >
> > As for using an NAT on the firewall itself: the problem is how
Checkpoint
> > does licensing.   If you have a 25 node license, you cannot designate
two
> > external interfaces.    In the case of our network, we have a backup
> > Internet connection.   The only way we can think to have two separate
> > external network connections connected to a 25 node Firewall-1 host is
to
> > put the external network connections on a separate NAT box in front of
> > Firewall-1.
> >
> > --
> > Will
> >
> > NOTE:   To reply, CHANGE the username to westes AT uscsw.com
> >
> > "Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
> > news:a4dcv2$3v8$1@news.shlink.de...
> > > CHANGE username to just westes wrote:
> > >
> > > > How can you configure Checkpoint SecuRemote for the case where
either
> > > > Firewall-1 or the SecuRemote client machines are behind NAT boxes?
> > >
> > > Putting the checkpoint FW-1/VPN-1 machine behind a NAT Gateway is
> > > uncommon and not the intended use of such a machine.
> > >
> > > The same with SecuRemote clients. This however is sometimes discussed
> > > on the FW-1 mailinglist and some people claim to have managed such a
> > > setup. Search
> > >
> > > http://www.phoneboy.com
> > >
> > > for NAT and SecuRemote. You might try the instructions given there.
> > > Normally you need another VPN Gateway to connect from machines within
a
> > > network to machines within another network. This other gateway is not
> > > neccessarily a 2nd Checkpoint FW-1/VPN-1 machine. You can for instance
> > > build a VPN between a Pix and a Checkpoint FW-1/VPN-1.
> > >
> > > Wolfgang
> > > --
> > > A foreign body and a foreign mind,
> > > never welcome in the land of the blind.
> > > Peter Gabriel, Not one of us, 1980
> >
> >
>
>
>

Relevant Pages
Loading