Hi Ray, > Does your firewall object have the external IP or > the internal IP? It has to be the external IP.
Yes, my firewall object has the external IP. > If it works with hub mode, that tells me it's a > routing issue. SecureClient > doesn't know how to find the policy server until > it's already inside the > firewall. > Would you please explain in more details what do you mean by the late idea? Thanks a lot Ray > Ray > > >From: cp user <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] Office Mode & SecureClient > >Date: Tue, 11 Oct 2005 11:45:06 +0200 > > > >May any one please give me the steps to configure > >Office Mode-IP POOL on SecureClient R55? > > > >I tried to follow steps described on VPN-1 guide > but I > >still have problems (my SecureClient cannot > >communicate with policy server)! > > > >My architecture consists on the following: > >- some hosts on the LAN. > >- a SmartCenter server that lies on the LAN > >- a VPN-1 Pro gateway that has two interfaces: an > >external one and a local one (connected to the LAN) > >- a remote access client (the SecureClient) whose > >default gateway is set to the VPN-1 Pro gateway. I > >actually have no router. > > > >As David suggested, my VPN domain is actually a > Group > >with exclusions. It is the LAN except Office Mode > IP > >POOL subnetwork addresses'. > > > >I noticed that tunnel test succeeds when I activate > >both Office Mode and Hub mode. But the tunnel test > >fails when I only activate Office mode. > Communication > >with policy server always fails. > > > >Kind regards > > > >--- "David S. Barker" <[EMAIL PROTECTED]> a > écrit > >: > > > > > I've been reading this thread and now I'm > confused. > > > > > > Not on how this is supposed to work but how the > > > terminology is being used, seems like POOL is > being > > > used to describe the encryption domain. > > > > > > When someone says POOL in reference to Check > Point > > > I'm thinking one of two things, IP POOL NAT or > > > OFFICE MODE IP POOL. In the case of IP POOL NAT > > > these can be used for Gateway to Gateway or for > > > Remote Access. These are allowed as a global > > > property (NAT) and then assigned on gateways, > > > encrypted connections are translated to these ip > > > addresses to help eliminate asyncronous routing. > > > > > > The only other mention of POOL has to do with > Office > > > mode IP POOL. > > > > > > Now, with Office Mode it is important that these > > > networks are NOT part of your Remote access > > > encryption domain. These addresses are assigned > to > > > your clients on the client side, so think of > them as > > > the Remote encryption domain. Also, If you want > to > > > use a subset of your existing internal address > space > > > for your Office Mode addresses then you need to > also > > > make sure that the topology for all of the > internal > > > interfaces NOT include these networks. You can > do > > > this by using Groups with Exclusions. The > > > exclusions will be the Office Mode networks. > > > Finally, you'll have to make sure that if you > use > > > any generalized routes like 10/8 points to a > router > > > inside, and your office mode is 10.10.10.0/24, > > > you'll have to specifically add a route on your > > > gateways to not point 10.10.10.0/24 to the > inside > > > router. It doesn't really matter where you > point > > > the route as long as it's being reflected > > > externally, in general I point this to the > default > > > gateway. > > > > > > As a general practice I use different Office > Mode > > > networks from my local networks/encryption > domain > > > networks so that I don't have to do this. With > > > larger networks I had to use the Group with > > > exclusions frequently. > > > > > > Also note if you're using both Office Mode and > IP > > > POOL NAT, by default the Office Mode addresses > will > > > be NATted to the IP POOL NAT addresses too. You > can > > > prevent this by creating a No NAT rule for the > > > Office Mode Network, or by setting the > > > om_prevent_ippool_nat_for_users property to true > in > > > the objects_5_0.C on the management server. > > > > > > > > > > > > Compuquip TECHNOLOGIES > > > "Providing Solutions Since 1980" > > > > > > David Barker > > > Senior Security Engineer > > > Internet Security Division > > > > > > Phone: 305.436.7272 X 1364 > > > Fax: 305.436.9149 > > > email:[EMAIL PROTECTED] > > > > > > > > > -----Original Message----- > > > From: Mailing list for discussion of Firewall-1 > > > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of cp user > > > Sent: Saturday, October 08, 2005 5:46 PM > > > To: [email protected] > > > Subject: Re: [FW-1] Office Mode & SecureClient > > > > > > Hi Bill, > > > > > > This means that the "POOL" network object > (internal > > > addresses that will be affected to remote > clients) > > > is located in a group that is defined as VPN > domain. > > > > > > --- Bill Smith <[EMAIL PROTECTED]> a écrit : > > > > > > > Hi there, > > > > > > > > what do you mean by network pool BEHIND YOUR > VPN > > > DOMAIN. > > > > Could you please expan a bit? > > > > > > > > Thx, > > > > > > > > Bill > > > > > > > > cp user <[EMAIL PROTECTED]> wrote: > > > > > Be sure to put your SecureClient NETWORK > POOL > > > > behind > > > > > your VPN Domain. > > > > > As Mike says it's probably "address > spoofing". > > > > > > > > I set the SecureClient network pool behind my > VPN > > > domain but the > > > > problem is still here!! what may I do please? > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Sahli, Mike > [mailto:[EMAIL PROTECTED] > > > > > Sent: Jueves, 06 de Octubre de 2005 07:42 > a.m. > > > > > To: > [email protected] > > > > > Subject: Re: [FW-1] Office Mode & > SecureClient > > > > > > > > > > Your problem is probably "address spoofing" > > > check your logs for all > === message truncated === ___________________________________________________________________________ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
