Hi, >> so our experience doesn't prove anything. BUT, I don't recall any caveats from Checkpoint about IP pools having the problem you describe, as that would make IP Pools essentially useless. >>
In an environment where users have broadband routers and the same default IPs, yes, IP Pools are not suitable to resolve that. They can still be useful for MEP, as the Office Mode Ip from the 1st gateway (Connect) is used. > Since we didn't pay for SecureClient, we have to use SecuRemote > True from a 'sustainable' standpoint. You can install Sc and use Office Mode, even without an sc license, but it is a) likely a violation of the license and b) has to be considered a 'glitch' that might be fixed in the next version. >> > packet after decryption on gateway, before IP Pool NAT > src 192.168.0.1 dst server <-- several clients will have 192.168.0.1 at this point, causing conflicts > -- the gateway has to "remember" that the packet came from the routable IP address (your example is 4.1.1.1) so it can get sent back where it came from -- isn't Checkpoint smart enough to keep all these VPN separate? >> Alas, not really. There's a table that links 4.1.1.1 to 192.168.0.1, and there's a table (the Ip Pool NaT table) that has 192.168.0.1 and 10.1.1.1. You'd end up, for a 2nd client, with an entry 4.1.1.2 to 192.168.0.1 (so, uh, if I see a packet to 192.168.0.1 now, where do I send it to?), and the IP Pool NAT entry - hey, we already have one! Best way to see this is to try it and look at the tables while it's happening. I've had customers who ran into this, and had the same IP Pool NAT assigned to multiple machines. That can produce some interesting effects. >> And, I'm not an expert on TCP/IP, but I seem to recall that the NAT process uses session numbers to keep track of which packet goes to which non-routable private IP address... I think that would enable the gateway to figure out which packet goes where. >> No ... wrong tree, I am afraid :). NAT just is a match of one IP address to another. In one-to-one or many-to-many NAT (which is what we're looking at with Ip Pools), it's just the IP address that gets swapped out. You have a table that matches "real" address to "nat" address, and that's the extent of it. Fairly simple. In many-to-one NAT (Hide Nat), port numbers come in to keep track of which return packet belongs to which internal host. That has nothing to do with Ip pools, however. No session number counting is going on with NAT at all. Or rather, it's not part of NAT per se. If your firewall does session number sanity checking, it can do that and NAT something at the same time, of course. As for "why'd my mgmt II class not discuss this": This issue is not, afaik, part of the CP documentation. At least not in this detail. There's a lot of confusion surrounding Ip Pool, MeP, Office Mode, and how they work. Trainers are as confused as the rest of us. Sometimes, I think the people who write CP documentation on the subject are confused :) Me, I think I got it down, but I'm always ready to be proven wrong on a point. There's others who also think they got it down, but their view of Ip Pools and how they work differs from mine. Fundamentally, as in "sure it'll solve issues with clients that have the same IP". As a result, some peer review took place here at Integralis, and in the end, the consensus was the view I now present. Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.integralis.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
