hi, does anyone of you have this configuration up and running WITHOUT defining the topology of all interfaces?
i know one installation where no topology is defined and the checkbox "Support connectivity enhancement for gateways with multiple external interfaces" is checked and office mode does not work. is it necessary tp define the topology to get this working? thanks, markus At 06:30 29.04.2004, you wrote: >Ray and Chris, > >Thanks a ton for your help. I turned off the anti-spoofing on the WLAN >interface and it worked like a charm. > >Chris, can you elaborate on the potential problems associated with turning >that off? > >Thanks again! > >Geoff. > >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[EMAIL PROTECTED] On Behalf Of Ray Pesek >Sent: Wednesday, April 28, 2004 8:05 PM >To: [EMAIL PROTECTED] >Subject: Re: [FW-1] Using Office Mode from behind additional firewall >interface = Tunnel Test failed (-121). > > >Hi Chris and Geoff, > >We did exactly the same thing on R55, had exactly the same issue, and ended >up "fixing" it by turning off anti-spoofing on the WLAN interface as well. >We had a case open with Check Point but never really did resolve it. > >Ray > >>From: Chris Hoff <[EMAIL PROTECTED]> >>Reply-To: Mailing list for discussion of Firewall-1 >><[EMAIL PROTECTED]> >>To: [EMAIL PROTECTED] >>Subject: Re: [FW-1] Using Office Mode from behind additional firewall >>interface = Tunnel Test failed (-121). >>Date: Wed, 28 Apr 2004 16:31:43 -0500 >> >>We just recently did this. We ran into the same problem, and it came >>down to address spoofing. I don't remember all the specifics, but when >>using office mode, the client uses the office mode IP address for all >>packets. The WLAN interfaces topology is probably set to some other >>address scheme that does not include this, and therefore it is going to >>drop it. Unfortunately, if you setup the topology to include the office >>mode subnet, the external interface may begin to drop traffic because >>they expect traffic originating from that subnet. I think all we have >>done to this point is disable anti-spoofing on the WLAN interface. This >>does pose potential problems, so be careful. >> >>We have not had the time to really sit down and figure out how to >>implement this with anti-spoofing enabled on that interface, so if >>anyone has any suggestions, it would be appreciated. >> >>Regards, >> >>Chris >> >>-----Original Message----- >>From: Mailing list for discussion of Firewall-1 >>[mailto:[EMAIL PROTECTED] On Behalf Of Geoff >>Brisbine >>Sent: Wednesday, April 28, 2004 3:25 PM >>To: [EMAIL PROTECTED] >>Subject: [FW-1] Using Office Mode from behind additional firewall >>interface = Tunnel Test failed (-121). >> >>Greetings, all. >> >>It's my first post to this list, so please bear with me. >> >>We are implementing a WLAN here. The WLAN is sitting on it's own >>interface on our R55 SecurePlatform box. Due to the 3-5 minute lag of >>being able to ping via WINS name (whether on the WLAN or from home) I >>decided to use Office Mode. Most of the WLAN users will also be VPNing >>in from home via SecureClient. >> >>When I connect up with SecureClient R55 it tells me Tunnel Test failed >>(-121). When I connect up with SecureClient R56 it tells me that it >>connected successfully, but it exhibits the identical symptoms to R55. >>The symptom is that I am unable to hit anything on the trusted side of >>our firewall. >> >>I researched the Tunnel Test Failed message and followed the step in >>sk10980 but I still got the Tunnel Test failed. I also set the Office >>Mode to "Support connectivity enhancement for gateways with multiple >>external interfaces" without any luck. Has anyone gotten Office Mode >>to work from a separate interface of the firewall (not external)? >> >>I would be happy to provide any additional information or logs. >> >>Thanks! >> >>Geoff Brisbine | Network Administrator >> >>MI-Assistant - A Division of Fiserv FSC, Inc. >>26550 West Mondovi Street | Eleva, WI 54738 >>Phone: 715.287.4262 | Fax: 715.287.4576 > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= -- Markus Hofbauer, Technical Services | IT-Sicherheit Bacher Systems EDV GmbH, Wienerbergstr. 11B, A-1101 Wien, Austria phone: +43 (1) 60 126-34 | fax: +43 (1) 60 126-4 e-mail: [EMAIL PROTECTED] | web: www.bacher.at ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
