Maybe you and I can have a small discussion on this Office Mode setup. We have never been able to get Secure Client working in a situation where the address being connected from matches an Encryption domain address. We use Office Mode and Secure Client. Office Mode addresses are given out by a separate DHCP server and the range falls outside the internal LAN. On the firewalls themselves the Office Mode Pool is routed to the external interface of the firewall. What happens when a connection is attempted is essentially a Gateway Not Responding error and nothing at all shows up in the Smartview Tracker. Any ideas on this? For background we are running a clustered firewall NG AI 54 as well as several internal firewalls anywhere between FP3 and R55. Management is R55 and all of the firewalls plus management are running either on Red Hat 7.3 or RHEL3.0. Everything is currently in Traditional Mode. From a SW Monitor it actually appears that my external address is trying to talk to the internal address of the firewall when I have an address that conflicts with the Encnet. Any ideas would be great.
Thanks Jeremy Lieb CCNA CCSA-NG CCSE-NG Firewall Administrator Open Text Corporation 847-267-9330 ext 4395 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Friday, September 24, 2004 7:26 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Another.....Another..... Another NAT question (SecuRemote) You actually can use any IP range you want for the Office Mode IP Pool as long as it's routable from any internal location to the internal interface of the gateway. A simple traceroute will confirm your routing. The Office Mode IPs are never exposed on the Internet. Since NG AI, you can have the Office Mode IP Pool in your encryption domain. We do. It allows SecureClient-to-SecureClient connections (think VoIP or NetMeeting). Ray >From: Jean-Francois Gobin <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: [FW-1] Another.....Another..... Another NAT question >(SecuRemote) >Date: Fri, 24 Sep 2004 20:54:06 +0200 > >Yes, it can solve it. Just allocate a small part of the 192.168.1.x (for >ex. 150->160) and exclude it from the DHCP or from the static addressing, >and just set up arp proxy in the FW for those IP. > >JF > >On Fri, 24 Sep 2004, Peter G. Viscarola wrote: > >>> >>>Another advantage of SecureClient is that it has Office Mode, >>>where you can assign a specific network to remote users. >>> >> >>WOW! (sorry, I'm a bit late to the discussion) >> >>Can somebody, ANYbody, confirm that Office Mode actually does solve the >>original poster's problem (of being to access the private lan via VPN >>from the Hotel in the following setup): >> >>Hotel Subnet A (192.168.1.xxx) --> internet --> FW --> Private >>Lan(192.168.1.xxx) >> >>We've been "just living with" the problem of traveling and being at a >>hotel that conicidentally uses the same subnet address as our private >>lan. Because SecuRemote thinks you're within the encryption domain, it >>doesn't encrypt or authenticate (and thus no VPN access). >> >>We've just upgraded from V4.1 to NG AI R55, and I've got our users still >>on Secure Remote for now. I've gotten Secure Client running with Office >>Mode and Visitor Mode (and all the other attendant goodies like IP >>compression) running for test purposes... But didn't realize it would >>solve the above problem. >> >>Can somebody please confirm that they actually seen Office Mode solve >>this problem? If so, I'll be soooo totally thrilled and I'll be an >>instant hero, >> >>Peter >>OSR >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[EMAIL PROTECTED] >>================================================= >> > >---------- >Jean-Francois Gobin - Administrateur gobinjf.be >http://www.gobinjf.be mailto:[EMAIL PROTECTED] > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= _________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfee(r) Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
