Hi David,
The problem with using an already-assigned internal subnet is that your internal routers will affect the traffic. The real requirement is for you to use a subnet that your internal routers know belongs to the firewall.
In other words, a traceroute originating from any internal machine to an Office Mode IP Pool subnet address must route back to the firewall, because that's where the Office Mode subnet lives. If the default route on your internal routers throws all trafic back to the firewall, you're probably OK. If their default route points somewhere else, you'll need a static route on each internal router to send the Office Mode IP range back to the firewall internal interface (the Internet, actually).
I, too, have a full Class B public IP space and we use it internally. Internally we subnet it as Class C. I took one of these unused Class C subnets and assigned it as the Office Mode IP Pool. Since none of my internal routers know about it, their default route sends the traffic back to the firewall and all is well.
Whatever IP range you assign as the Office Mode IP Pool is never exposed on the Internet, just internally. If your tcp wrappers and other ACLs use the entire IP range you have internally, then you can use this method as well.
HTH,
Ray
From: David Strom <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[email protected]> To: [email protected] Subject: Re: [FW-1] Office Mode IP assignment Date: Sat, 9 Apr 2005 23:22:15 -0400
OK, I understand what you're saying about private address range conflicts. But, we're a university, and our internal network is a routable subnet, not a reserved/private range as you seem to assume. And, we *can't* use another subnet like your second paragraph suggests, since only addresses in our subnet range are permitted to connect to our hosts (tcp wrappers, not changing this config). See, MS PPTP does exactly what we want, as does SecuRemote using IP Pools (but there's a potential problem with that). Seems like Checkpoint would have noticed what MS is doing & thought to provide the same type of capability.
I'll check the VPN Guide, thanks.
-- David Strom
Gerson Levitz wrote:
Office mode was developed to eliminate problems with SR clients whose IP address is in the same numbering scheme as your private network and to overcome routing issues once SR client was connected.
So based upon that you do not want to use your External addresses for Office Mode. Say your internal network is 192.168.1.0/24 you can make your office mode 192.168.200.0/24. What you need to make sure is that you route this network to the firewall.
As you mentioned above in the SmartDashboard you need to either use DHCP or configure a network object for Office mode. If you want to use a range of addresses you can do this by using the IPASSIGNMENT.CONF file where you can specify a range of addresses to assgin to a group of users. See page 153 of the R55 VPN Guide for instructions.
Gerson
On Apr 8, 2005 5:05 PM, David Strom <[EMAIL PROTECTED]> wrote:
I think that you've hit on my problem -- I NEED the IP addresses to be part of my "encryption domain". I don't use the VPN terminology often enough to be really comfortable that I'm right, but I need the IP addresses assigned to my remote access clients to be part of my internal network, hence part of the "encryption domain" (if I've got the terminology right). This works for SecuRemote & IP Pools (although there's problems with how Checkpoint handles this, I'm told via this mail list), and also how Microsoft PPTP works for us. I can't use a separate network.
So, if anyone has an answer, I'd appreciate it.
IMHO, it seems rather short-sighted of Checkpoint not to make this type of functionality work for its customers.
-- David Strom
Joe Pope wrote:
I use Office Mode for my SecureClients, and do not use DHCP. I created a new network (say 192.168.1.0/24) and that is what I selected for the IP range. You can use any IP addresses you want, just make sure they are NOT part of your encrypted domain. Private IP address work perfect. Then you can assign DNS and/or WINS information (I did my internal DNS servers) and the SecureClient's will use this to resolve addresses. Works fine for us with no problems! (R55 HFA09 SecurePlatform clustered with Rainfinity)
Joe
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of David Strom Sent: Thursday, April 07, 2005 4:11 PM To: [email protected] Subject: [FW-1] Office Mode IP assignment
I saw some posts on this, and I have this question: Is there a way to allocate a subset of our internal class C subnet for Office mode client use? I.e., we have a class C subnet x.y.z.0 and we want to use say, x.y.z.101 through 110 for the Office mode clients. We just tried this with our reseller and the FW screen for this wanted to either allocate from a DHCP server (we don't have one) or a Network or Group. Not an IP Pool like we're using with SecuRemote for the time being. There's problems reported with this SR & IP Pools, so I was trying the SecureClient with Office Mode to see if it would work. The reseller was surprised we couldn't specify an IP Pool type of IP range for our Office Mode clients. Even called the Checkpoint tech rep for comment. <sigh> No help there, either.
It would be so cool if Checkpoint could do the same thing as Microsoft PPTP (only more securely), which I thought Office Mode was supposed to do, and SR with IP Pools does with caveats (except for joining the MS domain). We need the IPs to be part of our subnet range, because the Solaris hosts are wrapped to only allow connections from within our IP range... we shouldn't have to change all our Sun hosts configs just to accomodate a VPN remote access product. Might just have to keep letting people use PPTP.
CP version is R55 on a Sun Solaris system, with VPN Accelerator card II (hardly used). Thanks for any help.
-- David Strom
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
