A belated follow-up.... I'm wrestling with a similar problem which I believe is due to my firewall object having the internal address. My license is keyed to the external correctly, however.
If I simply change the address in the object, do I expect the whole firewall to come crashing down? Rules to fail? Clients to disconnect? Ancient evils to rise from their watery slumber? Or should everything simply be ducky? > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Ray > Sent: Tuesday, October 11, 2005 7:12 PM > To: [email protected] > Subject: Re: [FW-1] Office Mode & SecureClient > > Does your firewall object have the external IP or the > internal IP? It has to be the external IP. > > If it works with hub mode, that tells me it's a routing > issue. SecureClient doesn't know how to find the policy > server until it's already inside the firewall. > > Ray > > >From: cp user <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] Office Mode & SecureClient > >Date: Tue, 11 Oct 2005 11:45:06 +0200 > > > >May any one please give me the steps to configure Office > Mode-IP POOL > >on SecureClient R55? > > > >I tried to follow steps described on VPN-1 guide but I still have > >problems (my SecureClient cannot communicate with policy server)! > > > >My architecture consists on the following: > >- some hosts on the LAN. > >- a SmartCenter server that lies on the LAN > >- a VPN-1 Pro gateway that has two interfaces: an external one and a > >local one (connected to the LAN) > >- a remote access client (the SecureClient) whose default gateway is > >set to the VPN-1 Pro gateway. I actually have no router. > > > >As David suggested, my VPN domain is actually a Group with > exclusions. > >It is the LAN except Office Mode IP POOL subnetwork addresses'. > > > >I noticed that tunnel test succeeds when I activate both Office Mode > >and Hub mode. But the tunnel test fails when I only activate Office > >mode. Communication with policy server always fails. > > > >Kind regards > > > >--- "David S. Barker" <[EMAIL PROTECTED]> a ecrit > >: > > > > > I've been reading this thread and now I'm confused. > > > > > > Not on how this is supposed to work but how the > terminology is being > > > used, seems like POOL is being used to describe the encryption > > > domain. > > > > > > When someone says POOL in reference to Check Point I'm > thinking one > > > of two things, IP POOL NAT or OFFICE MODE IP POOL. In > the case of > > > IP POOL NAT these can be used for Gateway to Gateway or > for Remote > > > Access. These are allowed as a global property (NAT) and then > > > assigned on gateways, encrypted connections are > translated to these > > > ip addresses to help eliminate asyncronous routing. > > > > > > The only other mention of POOL has to do with Office mode IP POOL. > > > > > > Now, with Office Mode it is important that these networks are NOT > > > part of your Remote access encryption domain. These > addresses are > > > assigned to your clients on the client side, so think of > them as the > > > Remote encryption domain. Also, If you want to use a > subset of your > > > existing internal address space for your Office Mode > addresses then > > > you need to also make sure that the topology for all of > the internal > > > interfaces NOT include these networks. You can do this by using > > > Groups with Exclusions. The exclusions will be the Office Mode > > > networks. > > > Finally, you'll have to make sure that if you use any generalized > > > routes like 10/8 points to a router inside, and your > office mode is > > > 10.10.10.0/24, you'll have to specifically add a route on your > > > gateways to not point 10.10.10.0/24 to the inside router. It > > > doesn't really matter where you point the route as long as it's > > > being reflected externally, in general I point this to > the default > > > gateway. > > > > > > As a general practice I use different Office Mode > networks from my > > > local networks/encryption domain networks so that I don't > have to do > > > this. With larger networks I had to use the Group with > exclusions > > > frequently. > > > > > > Also note if you're using both Office Mode and IP POOL NAT, by > > > default the Office Mode addresses will be NATted to the > IP POOL NAT > > > addresses too. You can prevent this by creating a No NAT > rule for > > > the Office Mode Network, or by setting the > > > om_prevent_ippool_nat_for_users property to true in the > > > objects_5_0.C on the management server. > > > > > > > > > > > > Compuquip TECHNOLOGIES > > > "Providing Solutions Since 1980" > > > > > > David Barker > > > Senior Security Engineer > > > Internet Security Division > > > > > > Phone: 305.436.7272 X 1364 > > > Fax: 305.436.9149 > > > email:[EMAIL PROTECTED] > > > > > > > > > -----Original Message----- > > > From: Mailing list for discussion of Firewall-1 > > > [mailto:[EMAIL PROTECTED] > > > On Behalf Of cp user > > > Sent: Saturday, October 08, 2005 5:46 PM > > > To: [email protected] > > > Subject: Re: [FW-1] Office Mode & SecureClient > > > > > > Hi Bill, > > > > > > This means that the "POOL" network object (internal > addresses that > > > will be affected to remote clients) is located in a group that is > > > defined as VPN domain. > > > > > > --- Bill Smith <[EMAIL PROTECTED]> a ecrit : > > > > > > > Hi there, > > > > > > > > what do you mean by network pool BEHIND YOUR VPN > > > DOMAIN. > > > > Could you please expan a bit? > > > > > > > > Thx, > > > > > > > > Bill > > > > > > > > cp user <[EMAIL PROTECTED]> wrote: > > > > > Be sure to put your SecureClient NETWORK POOL > > > > behind > > > > > your VPN Domain. > > > > > As Mike says it's probably "address spoofing". > > > > > > > > I set the SecureClient network pool behind my VPN > > > domain but the > > > > problem is still here!! what may I do please? > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Sahli, Mike [mailto:[EMAIL PROTECTED] > > > > > Sent: Jueves, 06 de Octubre de 2005 07:42 a.m. > > > > > To: [email protected] > > > > > Subject: Re: [FW-1] Office Mode & SecureClient > > > > > > > > > > Your problem is probably "address spoofing" > > > check your logs for all > > > > > traffic coming in from a known client that is > > > failing. > > > > > > > > > > Michael D Sahli > > > > > Sr. Network Engineer > > > > > Lockheed Martin IT @ SMECO > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: cp user [mailto:[EMAIL PROTECTED] > > > > > Sent: Thursday, October 06, 2005 7:54 AM > > > > > To: [email protected] > > > > > Subject: [FW-1] Office Mode & SecureClient > > > > > > > > > > Hi list, > > > > > > > > > > I configured Office Mode with IP Pool on the > > > > gateway > > > > > side. > > > > > Once I check "Support Office Mode" on my > > > SecureClient, it can no > > > > > longer logon to policy server and download > > > policy. The "Connect" > > > > returnes: > > > > > Connecting to gateway... > > > > > Negociation succeeded, tunnel test failed > > > Connected to gateway: MyGW > > > > > Login on to policy server MyServer... > > > > > Logon to policy server failed. > > > > > Connection succeeded. > > > > > > > > > > I try again to logon to policy server. But this > > > failes with the > > > > > following message: "SecureClient failed to > > > communicate with policy > > > > > server MyServer > > > > at > > > > > site MySite". > > > > > > > > > > Logs return: > > > > > Connecting to site MySite using profile MySite > > > Interface change: > > > > > VPN-1 SecureClient Adapter - Miniport > > > d'ordonnancement de paquets > > > > > interface added, current ip: 192.168.34.65 > > > Default Desktop Security > > > > > Policy Loaded SecureClient failed to communicate > > > with Policy Server > > > > > MyServer at site MySite Successfully connected > > > to site > > > > > > > > > > Any idea is wolcome! > > > > > > > > > > Many thanks > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >_____________________________________________________________ > __________ > >____ > > > > > Appel audio GRATUIT partout dans le monde avec > > > le nouveau Yahoo! > > > > > Messenger Telechargez cette version sur > > > > > http://fr.messenger.yahoo.com > > > > > > > > > > > > > ================================================= > > > > > To set vacation, Out-Of-Office, or away > > > messages, send an email to > > > > [EMAIL PROTECTED] > > > > > in the BODY of the email add: > > > > > set fw-1-mailinglist nomail > > > > > > > > ================================================= > > > > > To unsubscribe from this mailing list, please > > > see the instructions > > > > > at > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > ================================================= > > > > > If you have any questions on how to change your > > > subscription > > > > > options, email [EMAIL PROTECTED] > > > > > > > > ================================================= > > > > > > > > > >=== message truncated === > > > > > > > > > > > > > > > >_____________________________________________________________ > __________ > >____ Appel audio GRATUIT partout dans le monde avec le > nouveau Yahoo! > >Messenger Telechargez cette version sur http://fr.messenger.yahoo.com > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, send an email to > >[EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your subscription > options, > >email [EMAIL PROTECTED] > >================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an > email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription > options, email [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
