OfficeMode is the way to go. Pick a network or IP range that is not in use on your network, and use that net/range for your OfficeMode IP pool. Add internal routes as needed to the OfficeMode destination with the fw as the gateway. Your internal servers will see the OfficeMode assigned IP address, not the clients' real IP address.
SecuRemote will not work with OfficeMode. You must purchase SecureClient or SSL Network Extender. If you have to use SecuRemote, then your only option is to use IP Pool NAT. You don't have to config vpn-clients to route through gateway unless (a) your company is needs to log/restrict/filter vpn-clients' internet destinations or (b) you want to enable client-to-client communications (for things like netmeeting or file sharing). Other reasons to route through gateway involve having a complex site-to-site VPN routing scenario with disparate encryption algorithms and multiple VPN communities; and needing to have all vpn-clients to get to all of these VPN destinations. -fwguru On 4/21/05, Timothy Arnold <[EMAIL PROTECTED]> wrote: > Neil, > > I presume this is using office mode? I tried to configure it using another > 10.x range address space but the client gets "Assigned IP: Failed". The VPN > used for accessing two management networks, so I guess that the checkpoint > securemote needs to also obtain some static routes to these networks, unless > I force all traffic through the gateway (i.e for general internet access?). > > I would appreciate any thoughts that you might have with regards to setting > up VPN services. > > Cheers > Tim. > > ----- Original Message ----- > From: "Neil Kemp" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Wednesday, April 20, 2005 10:02 AM > Subject: Re: [FW-1] VPN Advice > > > You could use IP Pools perhaps, where you configure a network for the > > users > > to grab an IP address when they authenticate. Then add routes to route > > that > > specific network out through the Firewalls interface. > > > > Cheers. > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:[EMAIL PROTECTED] On Behalf Of Timothy > > Arnold > > Sent: Wednesday, April 20, 2005 9:39 AM > > To: [email protected] > > Subject: [FW-1] VPN Advice > > > > Hi, > > > > (Running Nokia IP350 cluster with R56) > > > > I am fairly new to Checkpoint/Nokia and I am currently looking for some > > VPN > > advice. I have configured the securemote client to access the VPN across > > the > > Internet and it authenticates fine. I can now access the servers but > > unfortunately it appears the client comes from their 'local' IP address > > and > > not the nat address that every other Internet client would see them from. > > > > Is it possible to use the nat address (that the firewall will see when > > establishing the connection) or is it possible to nat the clients to the > > IP > > address of the gateway? The reason I ask is that it is causing some > > routing > > problems on the servers as they are multi-homed and have static routes > > which > > conflict with the clients local IPs > > > > Any ideas? > > > > Thanks > > Tim > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > > ##################################################################################### > > This e-mail message has been scanned for Viruses and Content and cleared > > by 3DMail > > ##################################################################################### > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
