Quite thorough explanation. Let's try taking the Office Mode DHCP server out of the picture. Change to an Office Mode IP Pool by creating a network object using the same network as handed out by the DHCP server. I recall reading an article that said you had to reboot the gateway if you CHANGED the Office Mode IP Pool range, but I don't know if that applies to creating one.
How often are you performing topology updates? The default of one hour?
What version of SecureClient are you using and what is the OS of the client? Windows NT and 9x cache the last DHCP address in the registry. If you boot the computer while inside the company, shut down, go home, and start the computer while the same internal NIC is still installed, you're dead in the water unless you remove the internal NIC or release the IP address that you will not see as in use. Windows 2000 & XP don't have this issue.
Ray
From: Jeremy Lieb <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [FW-1] Another.....Another..... Another NAT question (SecuRemote) Date: Sat, 25 Sep 2004 11:24:21 -0400
What happens is that I plug in my Userid and Password, hit connect, I never get any Authenticated by Firewall1 messages. It jumps first to Updating Site and just sits on that until it fails and asks for Auth again. An ipconfig /all during this only shows my 192.168.1.X IP which is in conflict with the Encnet.
When I run SRFW monitor 192.168.1.100 is constantly trying to talk directly to the internal interface of our firewall for TCP 500 as if somehow it already believe that I am inside the Encnet. Our Office Mode range is given out from an internal DHCP server. The range however is not internal. So you see, I never get as far as having an OM address assigned when I use a Network # that falls inside the Encnet even though we believe to have OM configured properly and routing configured properly.
On the other hand when I use the network 192.168.255.X which is not inside our encnet I not only get my OM address but I connect successfully. The results of srfw monitor in this instance shows my internal address 192.168.255.100 talking directly to the external interface of the firewall. First for TCP 264, then UDP 2746 (UDP Encaps) and TCP 500. Then of course the OM address takes over the talking. If you need any more specific info let me know.
Thanks
Jeremy Lieb CCNA CCSA-NG CCSE-NG Firewall Administrator Open Text Corporation 847-267-9330 ext 4395 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Friday, September 24, 2004 10:09 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Another.....Another..... Another NAT question (SecuRemote)
Sure.
>On the firewalls themselves the Office Mode Pool is routed >to the external interface of the firewall.
Yep, that's right. If a SecureClient Office Mode connection is using 192.168.200.10, for example, and you traceroute to it from the internal network, it will end up on the SecureClient machine. If no SecureClient connection is using that particular Office Mode IP address, the traceroute will zip through the gateway and end up going to the Internet.
>What happens when a >connection is attempted is essentially a Gateway Not Responding error >and nothing at all shows up in the Smartview Tracker.
No authentication, no IKE traffic, nothing? What are the exact messages showing in the status window of SecureClient? What does ipconfig /all show on the SecureClient machine while this is happening?
Or do you mean that the connection appears to be successful but no traffic is routed from the SecureClient box to the gateway because of the same subnet problem?
>From a >SW Monitor it actually appears that my external address is trying to >talk to the internal address of the firewall when I have an address that >conflicts with the Encnet.
Can you give an example of this? I'm unclear by what you mean.
Ray
_________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
_________________________________________________________________ Don�t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
