This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF5E1A.8EE557BE
Content-Type: text/plain;
charset="iso-8859-1"
Sidestepping for the moment the safety/advisability of using pc anywhere
through your firewall...
Assumption 1: Since you think ping should work, I'll assume ICMP is
permitted through the firewall (check if policy properties has "allow ICMP"
checked). I would be very cautious with allowing it myself...
Assumption 2: Your PC Anywhere service is correctly defined, you know the
network objects in your firewall, and you understand the implications of
doing what I'm suggesting.
You identified the real issue here: the accessibility of your
workstation@work.
>My problem is my pc ip address is only valid to the internal network at
work not to the internet.
>My pc at home can not ping my pc at work. Therefore I can not see the
pcanywhere host
>(workstation at work) from my remote pc (pc at home).
Your workstation@work has a reserved address. It needs to have a legal
external address to get incoming traffic from the internet. If that
workstation has internet access now, you either
a) are already using address translation (NAT)
b) only use proxied connections to the internet (probably not, since
it only works for TELNET,FTP,HTTP,RLOGIN)
FW-1 can use static mode NAT or hide mode NAT (the FW docs say 3 but work
with me here).
Static mode assigns one legal address externally for every reserved internal
address being translated. The firewall directly substitutes the legal IP
for outgoing traffic and the reserved IP for incoming traffic. If you were
using this, you should have been able to ping your box from outside.
Since you cannot, you are probably using hide mode, which hides all internal
reserved addresses behind a single legal external address. It assigns a
specific port to each outgoing connection, so it can distinguish traffic
from different internal hosts. Two things about hide mode:
1) It only works on outgoing connections, because the fw assigns ports to
outgoing traffic only.
2) ICMP is an IP protocol apart from TCP, which doesn't use ports, and is
not supported by hide mode.
----solution that is only safe, really, if you have a fixed ip on
box@home---------
To make your situation work, you need to create firewall workstation objects
for your box@home and your workstation@work. For the workstation@work you
need to address translate it to a fixed legal external ip. You can use
automatic NAT on the NAT tab of that workstation object, if you like.
Then create a rule to allow the pc anywhere service _only to your
workstation, and only from your ip address at home_. If you have a dynamic
ip address at home (or even if you do), the following solution is much safer
-----Much safer solution------
A much better solution would be to install SecuRemote on your home pc, and
create a rule for vpn. This would let you have a dynamic address on
box@home, and allow it to act like a host on your network at work, plus
encrypt all of your traffic. The rule to create it would look like this:
src dest svc action
track
----------------------------------------------------------------------------
---
you@any internal.net pc-any client encrypt long
You don't need to create an object for box@home, just a user object to
authenticate for SecuRemote. Creating a firewall user and setting up
encryption and authentication are left as an exercise for the reader
(consult your FW-1 manuals).
----Michael Cannella, Checkpoint Certified Security Instructor
----Internet Security Systems, eServices ( http://www.iss.net
<http://www.iss.net> )
----mcannellaat_private <mailto:----mcannellaat_private>
-----Original Message-----
From: Louis Mattera [mailto:lmatteraat_private]
I am having a problem getting thru my firewall at work using pcanywhere 9.0.
Iam using a cisco router attached to a fractional t1 at work. Attached to
the router is a checkpoint firewall. The ip addresses from the firewall out
ot the internet are valid tcp/ip address that can be ping'd from the
internet. Behind the firewall is my pc workstation running windows 98. I
have enabled the correct ports on the firewall for pcanywhere to work.
My problem is my pc ip address is only valid to the internal network at work
not to the internet. My pc at home can not ping my pc at work. Therefore I
can not see the pcanywhere host (workstation at work) from my remote pc (pc
at home). What reading I have done so far tells me I need to do some kind of
address translation at the firewall but I can not figure it out? So I am
seeking help.
Hopefully I have provided enough information to whomever responds.
The network behind the firewall is nt 4.0. Should have mentioned it sooner.
Thanks for your help. Please respond to my email lmatteraat_private
------_=_NextPart_001_01BF5E1A.8EE557BE
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META content="MSHTML 5.00.2314.1000" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>Sidestepping for the moment the safety/advisability of
using pc anywhere through your firewall...</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>Assumption 1: Since you think ping should
work<FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000>, I'll
assume ICMP is permitted through the firewall (check if policy properties
has "allow ICMP" checked). I would be very cautious with allowing it
myself...</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>Assumption 2: Your PC Anywhere service is
correctly defined, you know the network objects in your firewall, and you
understand the implications of doing what I'm suggesting.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000>You
identified the real issue here: the accessibility of your
workstation@work.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000><FONT
face=Arial size=2>>My problem is my pc ip address is only valid to the
internal network at work not to the internet.</FONT></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000><FONT
face=Arial size=2>>My pc at home can not</FONT></SPAN></FONT><FONT
color=#0000ff face=Arial size=2><SPAN class=206061622-13012000><FONT face=Arial
size=2> ping my pc at work. Therefore I can not see the pcanywhere host
</FONT></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000><FONT
face=Arial size=2>>(workstation at work) from my remote pc (pc at home).
</FONT></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000> Your workstation@work has a
reserved address. It needs to have a legal external address to get
incoming traffic from the internet. </SPAN></FONT><FONT color=#0000ff
face=Arial size=2><SPAN class=206061622-13012000> If that workstation has
internet access now, you either</SPAN></FONT><FONT color=#0000ff face=Arial
size=2><SPAN class=206061622-13012000></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000> a) are already using
address translation (NAT)</SPAN></FONT><FONT color=#0000ff face=Arial
size=2><SPAN class=206061622-13012000></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000> b) only use proxied
connections to the internet (probably not, since it only works for
TELNET,FTP,HTTP,RLOGIN)</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000>FW-1
can use static mode NAT or hide mode NAT (the FW docs say 3 but work with
me here).</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000>Static
mode assigns one legal address externally for every reserved internal address
being translated. The firewall directly substitutes the legal IP for
outgoing traffic and the reserved IP for incoming traffic. If you were
using this, you should have been able to ping your box from
outside.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000>Since
you cannot, you are probably using hide mode, which hides all internal
reserved addresses behind a single legal external address. It assigns
a specific port to each outgoing connection, so it can distinguish traffic from
different internal hosts. Two things about hide mode:</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000> 1) It only works on outgoing connections,
because the fw assigns ports to outgoing traffic only.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000> 2) ICMP is an IP protocol apart from TCP,
which doesn't use ports, and is not supported by hide mode.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>----solution that is only safe, really, if you have a
fixed ip on box@home---------</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000>To
make your situation work, you need to create firewall workstation objects for
your box@home and your workstation@work. For the workstation@work you need to
address translate it to a fixed legal external ip. You can use automatic
NAT on the NAT tab of that workstation object, if you like.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000>Then
create a rule to allow the pc anywhere service _only to your workstation, and
only from your ip address at home_. If you have a dynamic ip address
at home (or even if you do), the following solution is much
safer</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>-----Much safer solution------</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000>A much
better solution would be to install SecuRemote on your home pc, and create a
rule for vpn. This would let you have a dynamic address on box@home, and
allow it to act like a host on your network at work, plus encrypt all of your
traffic. The rule to create it would look like
this:</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>
src
dest
svc
action
track</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>-------------------------------------------------------------------------------</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>you@any
internal.net pc-any
client encrypt
long</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000>You
don't need to create an object for box@home, just a user object to authenticate
for SecuRemote. Creating a firewall user and setting up encryption and
authentication are left as an exercise for the reader (consult your FW-1
manuals).</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>----Michael Cannella, Checkpoint Certified
Security Instructor</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000>----Internet Security Systems, eServices (<A
href="http://www.iss.net">http://www.iss.net>) </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN class=206061622-13012000><A
href="mailto:----mcannellaat_private">----mcannellaat_private</A></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial size=2><SPAN
class=206061622-13012000></SPAN></FONT> </DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Louis Mattera
[mailto:lmatteraat_private]<BR></DIV></FONT>
<DIV><FONT face=Arial size=2>I am having a problem getting thru my firewall at
work using pcanywhere 9.0.</FONT></DIV>
<DIV><FONT face=Arial size=2> Iam using a cisco router attached to a
fractional t1 at work. Attached to the router is a checkpoint firewall. The ip
addresses from the firewall out ot the internet are valid tcp/ip address that
can be ping'd from the internet. Behind the firewall is my pc workstation
running windows 98. I have enabled the correct ports on the firewall for
pcanywhere to work. </FONT></DIV>
<DIV><FONT face=Arial size=2>My problem is my pc ip address is only valid to
the internal network at work not to the internet. My pc at home can not ping
my pc at work. Therefore I can not see the pcanywhere host (workstation at
work) from my remote pc (pc at home). What reading I have done so far tells me
I need to do some kind of address translation at the firewall but I can not
figure it out? So I am seeking help.</FONT></DIV>
<DIV><FONT face=Arial size=2>Hopefully I have provided enough information to
whomever responds. </FONT></DIV>
<DIV><FONT face=Arial size=2>The network behind the firewall is nt 4.0. Should
have mentioned it sooner.</FONT></DIV>
<DIV><FONT face=Arial size=2>Thanks for your help. Please respond to my email
lmatteraat_private</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01BF5E1A.8EE557BE--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:26 PDT