Re: [FW-1] VPN ip pool

[Andrew W Barkley]

Hi ...


I.e., if your internal net is 123.4.5.x/255.255.255.0 and you only want to 
use a range of that subnet for your remote uses (e.g., 
123.4.5.101-123.4.5.111) you still need to define a SC pool as usual, 
however, you can define a range of that pool in ipassignment.conf as 
follows:

http://secureknowledge.checkpoint.com/kb/docs/public/firewall1/ng/pdf/om_ip_assignment.pdf

Type – This is a descriptor. It can be 'addr', 'range' or 'net'. 'addr' 
specifies one IP for one
user (This prefix is optional). 'range' and 'net' specify a range of 
addresses. These prefixes
are required.


Regards ...

----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please 
delete without copying and kindly advise us by e-mail of the mistake in 
delivery. NOTE: Regardless of content, this e-mail shall not operate to 
bind CSC to any order or other contract unless pursuant to explicit 
written agreement or government initiative expressly permitting the use of 
e-mail for such purpose.
----------------------------------------------------------------------------------------





David Strom <dstrom
@CIESIN.COLUMBIA.EDU>
Sent by: Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST
13/06/2005 19:02
Please respond to Mailing list for discussion of Firewall-1
 
        To:     FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
        cc: 
        Subject:        Re: [FW-1] VPN ip pool


Then, we can't use SC... there was an earlier suggestion that we *could* 
use a range of IPs within our LAN subnet... All our internal Solaris 
servers use TCP wrappers to only accept connections from our internal 
network only, that's security policy, ain't gonna change.  MS PPTP will 
do this, as will the SR IP Pool.  SC, it seems, won't do this.  I.e., if 
our internal net is 123.4.5.x/255.255.255.0, we need to use a range of 
that subnet for our remote uses (e.g., 123.4.5.101-123.4.5.111). 
Another subnet won't work.


Ray wrote:

> There is a KB that says you must reboot the firewall after you make a 
> change to the Office Mode IP Pool range for it to take effect.
> 
> I don't think it will work with a "range" and must be a "network". 
> Charalambos has it absolutely right; if the default route on your 
> internal routers send any unknown IP addresses back to the firewall 
> internal interface, you're all set. Note that the IP network you pick 
> for Office Mode is never exposed on the Internet so it doesn't matter 
> what you pick as long as it's not part of your internal networks 
> already. We use a net that is widely removed from our internal LAN so we 

> can tell at a glance from the logs whether the person was remote or not.
> --------------
> Change to Office Mode IP address requires firewall reboot
> 
> Symptoms:  ·After changing Office Mode IP address range, firewall 
> continues using old IP addresses
> 
> ID: sk25859
> -------------
> Ray
> 
>> From: Charalambos Klitiropoulos <[EMAIL PROTECTED]>
>> Reply-To: Mailing list for discussion of Firewall-1 
>> <FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM>
>> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>> Subject: Re: [FW-1] VPN ip pool
>> Date: Sat, 11 Jun 2005 17:32:26 +0300
>>
>> Hello,
>>
>> you need to create a network object that will describe a network that 
you
>> will treat as internal, bust MUST NOT be assigned to any internal VLAN 
or
>> network. You must configure all your internal devices so that they will
>> forward all packets for that network to your firewall. For example, if 
>> your
>> network uses 10.x.x.x addresses, a good idea would be to use 
>> 192.168.x.x for
>> the IP Pool network. That way, if you have configured all internal 
>> devices
>> properly, they would forward these packets to their default gateway,
>> eventually reaching your firewall.
>>
>> On 6/10/05, David Strom <[EMAIL PROTECTED]> wrote:
>> >
>> > Tried it with the reseller & even got a local CP tech on the line. 
This
>> > is what we found:
>> >
>> > In my R55 Dasboard, editing the FW, under Remote Access --> Office 
>> Mode,
>> > the Office Mode Method options are Manual (using IP Pool) and DHCP. 
Now
>> > in my dashboard, the Manual (using IP Pool) will only allow me to 
>> select
>> > from a list of Networks, it doesn't show any "Address Range"s; I even
>> > created a new range, in case it was excluding the one already in use.
>> >
>> > So, how does one do this, please? I would be ever so grateful.
>> >
>> > --
>> > David Strom
>> >
>> > O'Flynn, Derek wrote:
>> >
>> > > With SC you can assign IPs via OfficeMode from a range on your 
>> internal
>> > > network. Such that OfficeMode is used and assigns x.x.x.101-111 
from
>> > your
>> > > internal network. SC works like MSPPTP, and adds a firewall piece 
as
>> > well.
>> > > Of course you still can't connect and have login scripts and drive
>> > mappings
>> > > work as easily as you can with MS PPTP. Ugh, don't get me started,
>> > > CheckPoint remote access VPN should get an F on usability.
>> > >
>> > > Derek O'Flynn
>> > >
>> > >
>> > > -----Original Message-----
>> > > From: Mailing list for discussion of Firewall-1
>> > > [mailto:[EMAIL PROTECTED] On Behalf Of 
>> David
>> > Strom
>> > > Sent: Friday, June 10, 2005 2:24 PM
>> > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>> > > Subject: Re: [FW-1] VPN ip pool
>> > >
>> > > I beg to differ... SR is bundled with VPN. We paid for VPN-1 for 
the
>> > > sole reason to provide remote access. AND an encryption accelerator
>> > > card. AND maintenance/support on each, ever since (3 years now). 
>> Money
>> > > wasted.
>> > >
>> > > AND, even though the checkpoint tech rep promised this solution 
would
>> > > work (just like MS PPTP, I asked explicitly), it does not.
>> > >
>> > > Besides, I don't think SecureClient will work... we did a quick 
eval
>> > > test, and can't seem to find a way to assign a range of IP 
>> addresses to
>> > > use within our LAN subnet, i.e., use IPs x.x.x.101-111 on our class 
C
>> > > subnet. At least, not in the "Smartview Dashboard".
>> > >
>> > > Looked at SSL extender, didn't care for it, and it won't use our
>> > > encryption accelerator.
>> > >
>> > > Guess you were lucky to have a budget for SC, and/or not to trust 
the
>> > > Checkpoint sales people.
>> > >
>> > > --
>> > > David Strom
>> > >
>> > >
>> > > no-need to-list wrote:
>> > >
>> > >
>> > >>As always , we get what we paid for.....(SecureRemote is free!)
>> > >>Use SecureClient, is not going to break your company budget....the
>> > license
>> > >
>> > > are concurrent users at any giving time....unless you have 
>> thousand of
>> > them
>> > > login in at the same exact moment.
>> > >
>> > >>Another paying option is using SSL network extender...it uses 
>> HTTPS to
>> > >
>> > > create the tunnel in Office Mode..always picking up a defined pool 
>> of IP
>> > > address immaterial where the users is login from.
>> > >
>> > >>
>> > >>I gave up on SecureRemote as soon as I finish testing it....
>> > >>
>> > >>
>> > >>"O'Flynn, Derek" <[EMAIL PROTECTED]> wrote:
>> > >>All in glorious detail my exchange with the bright minds at
>> > CheckPoint...
>> > >>
>> > >>My response to "it works this way"...
>> > >>The functionality of the VPN server should not require me to 
>> monitor my
>> > >
>> > > end
>> > >
>> > >>users connectivity setup. If they come from a hotel/motel that has 
a
>> > >>private NAT, this could collide with each other, and I have no 
>> control
>> > >
>> > > over
>> > >
>> > >>the remote installation of NAT.
>> > >>
>> > >>I need a procedure for allowing multiple users coming from 
>> different VPN
>> > >>peers which may have the same source IP to get a separate IP on 
>> the SR
>> > >
>> > > NAT.
>> > >
>> > >>Or to not be DENIED access on the VPN because their point of 
>> origin has
>> > a
>> > >>certain router subnet defined.
>> > >>
>> > >>The tracker logs record the connection as the following, so the 
>> gateway
>> > is
>> > >>logging everything particular to the state of the connection so it
>> > should
>> > >
>> > > be
>> > >
>> > >>able to translate each session as an individual tunnel, not that 
>> userx
>> > and
>> > >>usery have the same source IP, they still have different VPN peers,
>> > which
>> > >>can distinguish them.
>> > >>
>> > >>VPN Peer
>> > >>Source IP
>> > >>Destination IP
>> > >>Source Port
>> > >>Destination Port
>> > >>Xlate src
>> > >>
>> > >>Their response...
>> > >>I have spoken to the escalation team and there is nothing that can 
be
>> > >>changed. Securemote encrypts the packet at the client with the 
>> clients
>> > IP
>> > >>address not the IP address of the NAT device. When the packet is
>> > decrypted
>> > >>it is decrypted with the source IP. Just as you can't have two 
>> devices
>> > on
>> > >>your network with the same IP addresses you can't have two vpn 
>> clients
>> > >
>> > > with
>> > >
>> > >>the same IP address. This is a limitation of TCP/IP not 
>> CheckPoint. We
>> > >>developed office mode to overcome this limitation. The NAT device 
is
>> > part
>> > >>of the vpn. You can have Securemote clients connecting from behind 
>> the
>> > the
>> > >>same NAT device because each client has a unique source IP.
>> > >>Can you put in a feature request to add an extra field to the state
>> > table
>> > >>such that when a packet is decrypted from a certain VPN peer, it is
>> > >>translated to a unique NAT IP. When this IP is then returned to the
>> > >>gateway, it is then encrypted and sent to the proper VPN peer.
>> > >>
>> > >>My response...
>> > >>Can you put in a feature request to add an extra field to the state
>> > table
>> > >>such that when a packet is decrypted from a certain VPN peer, it is
>> > >>translated to a unique NAT IP. When this IP is then returned to the
>> > >>gateway, it is then encrypted and sent to the proper VPN peer.
>> > >>
>> > >>Their response...
>> > >>You can submit an RFE the following link
>> > >>
>> > >>https://www.checkpoint.com/jsp/rfeLogin/login.jsp
>> > >>
>> > >>The problem with your proposed solution is that the encyrption 
takes
>> > place
>> > >>at the client. The peer is the client, it is not the NAT device. 
>> The NAT
>> > >>device is not part of the vpn.
>> > >>
>> > >>My response...
>> > >>Actually the VPN peer is the public address of the NAT device. I 
can
>> > >
>> > > submit
>> > >
>> > >>logs to show that my enforcement point is already aware of this.
>> > >>
>> > >>I have VPN peer - Public IP
>> > >>I have src IP - client's private nat address
>> > >>
>> > >>So you have all the information necessary to differentiate these
>> > >>connections, it's just this would require major code revisions to 
>> take
>> > >
>> > > this
>> > >
>> > >>into account, and since you have a product that we can spend 
>> $50000 or
>> > >
>> > > more
>> > >
>> > >>on, it's not in checkpoints best interest.
>> > >>
>> > >>If I could utilize office mode in securemote then I would :(
>> > >>
>> > >>The other major players in this market allow this functionality for
>> > free,
>> > >>just disappointed that something that's a major problem has not 
been
>> > >>addressed.
>> > >>
>> > >>Derek O'Flynn
>> > >>
>> > >>
>> > >>-----Original Message-----
>> > >>From: Mailing list for discussion of Firewall-1
>> > >>[mailto:[EMAIL PROTECTED] On Behalf Of 
>> David
>> > >
>> > > Strom
>> > >
>> > >>Sent: Wednesday, June 08, 2005 3:09 PM
>> > >>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>> > >>Subject: Re: [FW-1] VPN ip pool
>> > >>
>> > >>Did Checkpoint say *why* they did this "by design"? If it was a
>> > >>mistake, then a big one, if not, then they're punishing those of us
>> > >>using SecuRemote. And, Office Mode/Secure Client doesn't seem to
>> > >>permit exactly the same type of configuration (range of IPs within 
>> the
>> > >>local, vpn-ed to subnet).
>> > >>
>> > >>Maybe they messed up, & decided it was a good thing to force SR 
>> users to
>> > >>pay for SC, so they decided it's a "design feature".
>> > >>
>> > >>--
>> > >>David Strom
>> > >>
>> > >>O'Flynn, Derek wrote:
>> > >>
>> > >>
>> > >>
>> > >>>Just a note on this, if you use IP Pool NAT this does nothing to 
>> help
>> > >>>endpoints that have the same source ip. For instance, two users 
>> behind
>> > >>>routers at their house with 192.168.1.1 <http://192.168.1.1> as 
>> their
>> > IP address. If they both
>> > >>>connect at the same time, you will notice connectivity issues. I 
>> just
>> > >>>recently worked with CheckPoint Support on this and they 
>> confirmed the
>> > >>
>> > >>issue
>> > >>
>> > >>
>> > >>>with me and verified it is by design, and to resolve it I'll need 
to
>> > >>
>> > >>upgrade
>> > >>
>> > >>
>> > >>>to SecureClient or have one of the end users change their router
>> > subnet.
>> > >>>
>> > >>>Derek O'Flynn
>> > >>>
>> > >>>-----Original Message-----
>> > >>>From: Mailing list for discussion of Firewall-1
>> > >>>[mailto:[EMAIL PROTECTED] On Behalf Of 
>> Neil
>> > Kemp
>> > >>>Sent: Sunday, June 05, 2005 2:46 AM
>> > >>>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>> > >>>Subject: Re: [FW-1] VPN ip pool
>> > >>>
>> > >>>You can use IP Pools where you create an address range (has to be
>> > outside
>> > >>
>> > >>of
>> > >>
>> > >>
>> > >>>your Internal Network) and assign it.
>> > >>>
>> > >>>Works OK, done this a couple of times.
>> > >>>
>> > >>>-----Original Message-----
>> > >>>From: Mailing list for discussion of Firewall-1
>> > >>>[mailto:[EMAIL PROTECTED] On Behalf Of 
Cem
>> > Akbas
>> > >>>Sent: Saturday, June 04, 2005 8:31 AM
>> > >>>To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
>> > >>>Subject: [FW-1] VPN ip pool
>> > >>>
>> > >>>Using VPN-1 - Securemote, how can i assign IP address to clients. 
Or
>> > >>>is it possible only for SecureClient.
>> > >>>
>> > >>>Thanks
>> > >>>
>> > >>>=================================================
>> > >>>To set vacation, Out-Of-Office, or away messages,
>> > >>>send an email to [EMAIL PROTECTED]
>> > >>>in the BODY of the email add:
>> > >>>set fw-1-mailinglist nomail
>> > >>>=================================================
>> > >>>To unsubscribe from this mailing list,
>> > >>>please see the instructions at
>> > >>>http://www.checkpoint.com/services/mailing.html
>> > >>>=================================================
>> > >>>If you have any questions on how to change your
>> > >>>subscription options, email
>> > >>>[EMAIL PROTECTED]
>> > >>>=================================================
>> > >>>
>> > >>>
>> > >>>
>> > >>
>> > >>
>> > >
>> > 
>> 
############################################################################ 

>>
>> > >
>> > >>>#########
>> > >>>This e-mail message has been scanned for Viruses and Content and
>> > cleared
>> > >>>by 3DMail
>> > >>>
>> > >>
>> > >>
>> > >
>> > 
>> 
############################################################################ 

>>
>> > >
>> > >>>#########
>> > >>>
>> > >>>=================================================
>> > >>>To set vacation, Out-Of-Office, or away messages,
>> > >>>send an email to [EMAIL PROTECTED]
>> > >>>in the BODY of the email add:
>> > >>>set fw-1-mailinglist nomail
>> > >>>=================================================
>> > >>>To unsubscribe from this mailing list,
>> > >>>please see the instructions at
>> > >>>http://www.checkpoint.com/services/mailing.html
>> > >>>=================================================
>> > >>>If you have any questions on how to change your
>> > >>>subscription options, email
>> > >>>[EMAIL PROTECTED]
>> > >>>=================================================
>> > >>>
>> > >>>=================================================
>> > >>>To set vacation, Out-Of-Office, or away messages,
>> > >>>send an email to [EMAIL PROTECTED]
>> > >>>in the BODY of the email add:
>> > >>>set fw-1-mailinglist nomail
>> > >>>=================================================
>> > >>>To unsubscribe from this mailing list,
>> > >>>please see the instructions at
>> > >>>http://www.checkpoint.com/services/mailing.html
>> > >>>=================================================
>> > >>>If you have any questions on how to change your
>> > >>>subscription options, email
>> > >>>[EMAIL PROTECTED]
>> > >>>=================================================
>> > >>
>> > >>
>> > >>=================================================
>> > >>To set vacation, Out-Of-Office, or away messages,
>> > >>send an email to [EMAIL PROTECTED]
>> > >>in the BODY of the email add:
>> > >>set fw-1-mailinglist nomail
>> > >>=================================================
>> > >>To unsubscribe from this mailing list,
>> > >>please see the instructions at
>> > >>http://www.checkpoint.com/services/mailing.html
>> > >>=================================================
>> > >>If you have any questions on how to change your
>> > >>subscription options, email
>> > >>[EMAIL PROTECTED]
>> > >>=================================================
>> > >>
>> > >>=================================================
>> > >>To set vacation, Out-Of-Office, or away messages,
>> > >>send an email to [EMAIL PROTECTED]
>> > >>in the BODY of the email add:
>> > >>set fw-1-mailinglist nomail
>> > >>=================================================
>> > >>To unsubscribe from this mailing list,
>> > >>please see the instructions at
>> > >>http://www.checkpoint.com/services/mailing.html
>> > >>=================================================
>> > >>If you have any questions on how to change your
>> > >>subscription options, email
>> > >>[EMAIL PROTECTED]
>> > >>=================================================
>> > >>
>> > >>__________________________________________________
>> > >>Do You Yahoo!?
>> > >>Tired of spam? Yahoo! Mail has the best spam protection around
>> > >>http://mail.yahoo.com
>> > >>
>> > >>=================================================
>> > >>To set vacation, Out-Of-Office, or away messages,
>> > >>send an email to [EMAIL PROTECTED]
>> > >>in the BODY of the email add:
>> > >>set fw-1-mailinglist nomail
>> > >>=================================================
>> > >>To unsubscribe from this mailing list,
>> > >>please see the instructions at
>> > >>http://www.checkpoint.com/services/mailing.html
>> > >>=================================================
>> > >>If you have any questions on how to change your
>> > >>subscription options, email
>> > >>[EMAIL PROTECTED]
>> > >>=================================================
>> > >
>> > >
>> > > =================================================
>> > > To set vacation, Out-Of-Office, or away messages,
>> > > send an email to [EMAIL PROTECTED]
>> > > in the BODY of the email add:
>> > > set fw-1-mailinglist nomail
>> > > =================================================
>> > > To unsubscribe from this mailing list,
>> > > please see the instructions at
>> > > http://www.checkpoint.com/services/mailing.html
>> > > =================================================
>> > > If you have any questions on how to change your
>> > > subscription options, email
>> > > [EMAIL PROTECTED]
>> > > =================================================
>> > >
>> > > =================================================
>> > > To set vacation, Out-Of-Office, or away messages,
>> > > send an email to [EMAIL PROTECTED]
>> > > in the BODY of the email add:
>> > > set fw-1-mailinglist nomail
>> > > =================================================
>> > > To unsubscribe from this mailing list,
>> > > please see the instructions at
>> > > http://www.checkpoint.com/services/mailing.html
>> > > =================================================
>> > > If you have any questions on how to change your
>> > > subscription options, email
>> > > [EMAIL PROTECTED]
>> > > =================================================
>> >
>> > =================================================
>> > To set vacation, Out-Of-Office, or away messages,
>> > send an email to [EMAIL PROTECTED]
>> > in the BODY of the email add:
>> > set fw-1-mailinglist nomail
>> > =================================================
>> > To unsubscribe from this mailing list,
>> > please see the instructions at
>> > http://www.checkpoint.com/services/mailing.html
>> > =================================================
>> > If you have any questions on how to change your
>> > subscription options, email
>> > [EMAIL PROTECTED]
>> > =================================================
>> >
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages,
>> send an email to [EMAIL PROTECTED]
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email
>> [EMAIL PROTECTED]
>> =================================================
> 
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================