Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Checkpoint and Linksys WRT54G/Double NAT

From: LaTania Williams <topo2 () pacbell net>
Date: Thu, 31 Jan 2008 14:26:01 -0800 (PST)
Question for you checkpoint gurus out there:
I have a double natted network at home, and can't access a checkpoint fw via their vpn sw.
My network looks like this:
 
Internet  ->   linksys wrt51ab           ->                linksys wrt54g         ->           internal clients (vpn 
client)
                         DMZ                                              BACK                                     
Basic WinXPPro
                    stock firmware                              openwrt - IPTables
            PublicIP %-% 192.168.1.1/28    192.168.1.14/28 %-% 192.168.2.1/24           192.168.2.6/24

When I plug directly into DMZ, the vpn has no problem connecting.  If I try to access from the BACK network however, it 
always times out.
I have had no issues with cisco or att vpns (have had to use both), port 500/udp is good, AH/ESP traffic are all are 
good on the BACK router.  Checkpoint requires special ports, as I could gather from googling, I opened those up 
(256-257 /tcp I believe) on BACK, still had no effect. Tried opening 4500/tcp & udp to no avail.

I know I am doing something wrong, but access through double nat certainly must be supported...
Any help is greatly appreciated as I would like to get my wife off of this long wire we have stretching to the office 
;-) .

Thanks,

Michael Brown

----- Original Message ----
From: Paul Melson <pmelson () gmail com>
To: Firewall Wizards Security Mailing List <firewall-wizards () listserv icsalabs com>
Sent: Thursday, January 31, 2008 4:57:06 AM
Subject: Re: [fw-wiz] Checkpoint and RTSP NAT


On Jan 30, 2008 12:35 PM, Pedro Henrique Morsch Mazzoni
<phmazzoni () gmail com> wrote:

Client to server Transport field of RTSP packet: Transport:


 RTP/AVP;unicast;client_port=6970-6971;mode=play,RTP/AVP/TCP;unicast;mode=play

 Server response to client: Transport:


 RTP/AVP;unicast;source=72.14.209.177;client_port=59598-59599;server_port=10580-10581;ssrc=6DF21148


Did anyone knows if Checkpoint NGX can be awareness of RTSP when

 using NAT,

and change the payload of the response packet ?


Check Point has no problem with RTSP since the pre-NG days.  Your
problem is that the firewall isn't looking for RTSP on those ports
(10580-10581).  By default, tcp/554 is the port for RTSP servers.

PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: