On the second firewall, the encryption should take place on the address used by the NAT translation (the outside address). Are you encrypting based on the outside address, or on the internal, private addresses? In other words, if you have a setup like this: LAN-using-192.168.1.0---<FW1 w/NAT>---VPN-using-204.233.3.0---<FW2>---etc On FW2's ruleset, are you encrypting based on the 192.168.1.0 address or the 204.233.3.0 address? You should be encrypting on the 204.233.3.0. If that's not the problem, I'm not sure what else to say except go wild on the logging and see what's happening. It's possible that you have a crypt algorithm mismatch or something of that sort. If you don't see any encrypt/decrypt messages in the logs, then it's most likey a rule set to encrypt on a wrong source address. On Fri, 29 Jun 2001, Madhur Nanda wrote: > Hi , > > i am testing a setup where i have three firewalls in a chain, > > the first and second firewall form a g/w to g/w VPN and then secon and > third form another VPN. The second firewall has two interface and as > such it forms VPN with its peer on different interface. I wish to allow > traffic originating from encryption domain of firewall one to systems in > encryption domain of firewall three. The second firewall comes in the > middle and mediates the traffic. I m using NAT rules on the second > firewall so as to distiguish between encryption domains on second > firewall. > The traffic reaches the second firewall as desired ( encrypt -> NAt-> > ??) But when it leaves the second firewall it is not getting encrypted > and going plainly..... > > can some one throw some light on it???? > > 1) NAT takes place at only one interface?? > 2) FW-1 can form encryption VPN on two interface??? > > TIA > > regds > Madhur > _______________________________________________ > Firewalls mailing list > Firewalls@lists.gnac.net > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls