Hub mode sets a new default route on the clent so ALL traffic is forced down
the tunnel, even stuf on the local LAN that's not part of the firewall's
encryption domain.
Since the policy server can be found by hub mode, that tells me something,
but I'm not sure what. Is your policy server on the firewall or a different
box?
there's also a KB article about how the plicy server binds itself to the
first IP it finds on the firewall, not necessarily the one you pick for the
external interface. I don't remember the article but you have to set a NAT
rule to make it go to the right place. I think you run netstat on the
firewall and look at what interface is bound to the port used by the policy
server.
You don't need to do a group with exclusion unless you really need an IP for
Office Mode that's part of the internal IP space. It's better to set your
internal routers so their default route always ends up at the firewall. That
way you can pick any address space you want for Office Mode.
Ray
From: cp user <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Office Mode & SecureClient
Date: Wed, 12 Oct 2005 12:41:05 +0200
Hi Ray,
> Does your firewall object have the external IP or
> the internal IP? It has to be the external IP.
Yes, my firewall object has the external IP.
> If it works with hub mode, that tells me it's a
> routing issue. SecureClient
> doesn't know how to find the policy server until
> it's already inside the
> firewall.
>
Would you please explain in more details what do you
mean by the late idea?
Thanks a lot Ray
> Ray
>
> >From: cp user <[EMAIL PROTECTED]>
> >Reply-To: Mailing list for discussion of Firewall-1
>
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Office Mode & SecureClient
> >Date: Tue, 11 Oct 2005 11:45:06 +0200
> >
> >May any one please give me the steps to configure
> >Office Mode-IP POOL on SecureClient R55?
> >
> >I tried to follow steps described on VPN-1 guide
> but I
> >still have problems (my SecureClient cannot
> >communicate with policy server)!
> >
> >My architecture consists on the following:
> >- some hosts on the LAN.
> >- a SmartCenter server that lies on the LAN
> >- a VPN-1 Pro gateway that has two interfaces: an
> >external one and a local one (connected to the LAN)
> >- a remote access client (the SecureClient) whose
> >default gateway is set to the VPN-1 Pro gateway. I
> >actually have no router.
> >
> >As David suggested, my VPN domain is actually a
> Group
> >with exclusions. It is the LAN except Office Mode
> IP
> >POOL subnetwork addresses'.
> >
> >I noticed that tunnel test succeeds when I activate
> >both Office Mode and Hub mode. But the tunnel test
> >fails when I only activate Office mode.
> Communication
> >with policy server always fails.
> >
> >Kind regards
> >
> >--- "David S. Barker" <[EMAIL PROTECTED]> a
> écrit
> >:
> >
> > > I've been reading this thread and now I'm
> confused.
> > >
> > > Not on how this is supposed to work but how the
> > > terminology is being used, seems like POOL is
> being
> > > used to describe the encryption domain.
> > >
> > > When someone says POOL in reference to Check
> Point
> > > I'm thinking one of two things, IP POOL NAT or
> > > OFFICE MODE IP POOL. In the case of IP POOL NAT
> > > these can be used for Gateway to Gateway or for
> > > Remote Access. These are allowed as a global
> > > property (NAT) and then assigned on gateways,
> > > encrypted connections are translated to these ip
> > > addresses to help eliminate asyncronous routing.
> > >
> > > The only other mention of POOL has to do with
> Office
> > > mode IP POOL.
> > >
> > > Now, with Office Mode it is important that these
> > > networks are NOT part of your Remote access
> > > encryption domain. These addresses are assigned
> to
> > > your clients on the client side, so think of
> them as
> > > the Remote encryption domain. Also, If you want
> to
> > > use a subset of your existing internal address
> space
> > > for your Office Mode addresses then you need to
> also
> > > make sure that the topology for all of the
> internal
> > > interfaces NOT include these networks. You can
> do
> > > this by using Groups with Exclusions. The
> > > exclusions will be the Office Mode networks.
> > > Finally, you'll have to make sure that if you
> use
> > > any generalized routes like 10/8 points to a
> router
> > > inside, and your office mode is 10.10.10.0/24,
> > > you'll have to specifically add a route on your
> > > gateways to not point 10.10.10.0/24 to the
> inside
> > > router. It doesn't really matter where you
> point
> > > the route as long as it's being reflected
> > > externally, in general I point this to the
> default
> > > gateway.
> > >
> > > As a general practice I use different Office
> Mode
> > > networks from my local networks/encryption
> domain
> > > networks so that I don't have to do this. With
> > > larger networks I had to use the Group with
> > > exclusions frequently.
> > >
> > > Also note if you're using both Office Mode and
> IP
> > > POOL NAT, by default the Office Mode addresses
> will
> > > be NATted to the IP POOL NAT addresses too. You
> can
> > > prevent this by creating a No NAT rule for the
> > > Office Mode Network, or by setting the
> > > om_prevent_ippool_nat_for_users property to true
> in
> > > the objects_5_0.C on the management server.
> > >
> > >
> > >
> > > Compuquip TECHNOLOGIES
> > > "Providing Solutions Since 1980"
> > >
> > > David Barker
> > > Senior Security Engineer
> > > Internet Security Division
> > >
> > > Phone: 305.436.7272 X 1364
> > > Fax: 305.436.9149
> > > email:[EMAIL PROTECTED]
> > >
> > >
> > > -----Original Message-----
> > > From: Mailing list for discussion of Firewall-1
> > >
> [mailto:[EMAIL PROTECTED]
> > > On Behalf Of cp user
> > > Sent: Saturday, October 08, 2005 5:46 PM
> > > To: [email protected]
> > > Subject: Re: [FW-1] Office Mode & SecureClient
> > >
> > > Hi Bill,
> > >
> > > This means that the "POOL" network object
> (internal
> > > addresses that will be affected to remote
> clients)
> > > is located in a group that is defined as VPN
> domain.
> > >
> > > --- Bill Smith <[EMAIL PROTECTED]> a écrit :
> > >
> > > > Hi there,
> > > >
> > > > what do you mean by network pool BEHIND YOUR
> VPN
> > > DOMAIN.
> > > > Could you please expan a bit?
> > > >
> > > > Thx,
> > > >
> > > > Bill
> > > >
> > > > cp user <[EMAIL PROTECTED]> wrote:
> > > > > Be sure to put your SecureClient NETWORK
> POOL
> > > > behind
> > > > > your VPN Domain.
> > > > > As Mike says it's probably "address
> spoofing".
> > > >
> > > > I set the SecureClient network pool behind my
> VPN
> > > domain but the
> > > > problem is still here!! what may I do please?
> > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Sahli, Mike
> [mailto:[EMAIL PROTECTED]
> > > > > Sent: Jueves, 06 de Octubre de 2005 07:42
> a.m.
> > > > > To:
> [email protected]
> > > > > Subject: Re: [FW-1] Office Mode &
> SecureClient
> > > > >
> > > > > Your problem is probably "address spoofing"
> > > check your logs for all
>
=== message truncated ===
___________________________________________________________________________
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez cette version sur http://fr.messenger.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
