The CMPI resource which is used to connect the SMARTConsole to the SMARTCenter
is an implcit rule in Global Properties, which is applied before the encryption
rule, hence will be presented to the peer gateway will be unencrypted.
You can edit the implied_rules.def on the SMARTCenter, then create an explicit
rule for CPMI and assign it ot a VPN community.
SK25867
1. Edit $FWDIR/lib/implied_rules.def on the SmartCenter Server.
2. Locate and comment the define ENABLE_CPMI line (by adding "//"):
Before:
#define ENABLE_CPMI
Change to:
//#define ENABLE_CPMI
3. Locate and modify :#define accept_cpmi_reverse. This modification
varies depending on the Gateway version:
NG with Application Intelligence R55:
Line 270 : #define accept_cpmi_reverse
Change to:
: #define accept_cpmi_port_reverse
NGX R60:
Line 327 : #define accept_cpmi_reverse
Change to:
: #define accept_cpmi_port_reverse
4. Create specific CPMI rules for VPN Communities.
5. Install the Security Policy.
Note:
This change does not survive upgrades. Back up this file for reference, if
installing an HFA or upgrading.
Workaround:
If you have VPN-1 SecureClient available with Visitor Mode and Office Mode
enabled, you can use SecureClient in Visitor Mode to connect to the Security
Gateway that protects the SmartCenter. Then use the SMART client
(SmartDashboard) over the Visitor Mode connection.
You will have to use the ipassignment.conf file on the Gateway, to assign
SecureClient users a static IP address and also allow that IP address as a GUI
client. This enables clients behind an Edge XU (for example) to obtain a static
IP when necessary.
________________________________
From: Mailing list for discussion of Firewall-1 on behalf of Michael Kelly (HRG)
Sent: Wed 08/02/2006 18:07
To: [email protected]
Subject: [FW-1] SmartDashboard to SmartCenter Server over VPN fails to connect
When I try to connect to the SmartCenter server using SmartDashboard over a
VPN, it fails to connect.
The logfile shows "encryption failure: Different community ID, possible NAT
problem (VPN Error code 02)".
The strange thing is, I can ssh to the same SmartCentrer server from the
same PC over the same VPN without any problems.
I can also connect to any other device on the internal LAN without any
problems.
The VPN is between a VPN-1 Edge box and a ClusterXL system running NG AI
R55.
What do I need to do to get GUI connectivity?
Thanks in advance,
Michael.
****************************************************************************
*******
This email and any files transmitted with it are confidential and may be
legally privileged and are intended solely for the use of the individual or
entity to whom they are addressed. If you are not the intended recipient
please note that any disclosure, distribution, or copying of this email is
strictly prohibited and may be unlawful. If received in error, please delete
this email and any attachments and confirm this to the sender.
Although Stortext FM operates anti-virus programs and this email has been
scanned it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are solely
those of the author and do not necessarily represent those of Stortext FM
Ltd or either of its subsidiaries Stortext Document Solutions Ltd and FM
Image Management Ltd
For more information about StortextFM and our services visit
http://www.stortextfm.com
****************************************************************************
*******
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
