[FW1] question about encryption + NAT

[John_Baddiley@bnz.co.nz]

Hello all - I have a question about running encryption with NAT
(specifically with FTP).

I have an internal host that has it's address translated when FTPing to a
specified external host. I am connecting to this external host over a
firewall-firewall VPN (FWZ).

I am able to get the FTP connection up, and log into the remote host. The
packets are being set to the remote host with a source address of my
translation address (as it should be). I can run commands that use the
original TCP session (such as pwd and bin/ascii), but if I try a ls or get,
command the FTP session hangs and then times out.

What I've noticed (with a protocol analyser) is that the packets with the
ls command are not being sent outside the firewall. It's as if the firewall
is losing the packets (there is no drop or reject messages in the log).

With the same rule, I can FTP from a host that does not require
translation, and everything works perfectly. I've also established a
passive-mode FTP session from the translated internal host, and that works
perfectly as well.

Any hints?

Thanks in advance,

John Baddiley
Senior Technical Consultant
Bank of New Zealand

WARNING: The contents of this E-mail may contain information that is
        legally privileged and/or confidential to the named recipient. This
        information is not to be used by any other person and/or
        organisation. The views  expressed in this document do not
        necessarily reflect those of the Bank of New Zealand.




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================