Not quite like that - I just connect to the central gateway via secure
remote.
I then go a box behind the Nokia directly (don't think site-to-site VPN is
involved at this point).
The remote address shown up is the (private) IP assigned by the ISP though.
If the remote traffic is not going to the LAN-behind-Nokia via the
site-to-site VPN, how does it get there? Is there also some type of WAN
connection in addition to the site-to-site VPN?
Are you using SecuRemote or SecureClient? Office Mode is only supported by
SecureClient. I know some people figured out that some versions of
SecuRemote can work with Office Mode, but you have to imagine that Check
Point will eventually fix that bug.
That's something I'm not sure about: shouldn't the return traffic be routed
via the Nokia?
It doesn't have to go via the central gateway, right?
If you're connecting from the Internet to the central gateway, then all
return traffic must be routed out the same gateway you connected to. When
you're using Office Mode and have multiple Internet gateways, you need to
put in a route on all routers so Office Mode IP addresses are routed out the
same gateway that they came from. If you're using multiple gateways and all
are configured for Office Mode, I think they all have to use different
Office Mode subnets.
If you get on the X box remotely, like by SSH, perform a traceroute to an
Office Mode address and see how it routes.
The remote address shown up is the (private) IP assigned by the ISP though.
So your ISP is assigning a private IP address to its customers?
Sorry for more questions. I just want to make sure I understand your
topology.
Ray
From: [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Secure Remote problem
Date: Mon, 6 Mar 2006 16:35:13 +0000
Thanks Ray. My response below.
Huiqi
Mailing list for discussion of Firewall-1
<[email protected]> wrote on 06/03/2006 15:21:13:
> So when you connect remotely to a box behind the central gateway, the
remote
> IP shows up as the Office Mode address?
>
That's correct.
> But when you connect to the central gateway remotely and go to a box
behind
> the Nokia using the site-to-site VPN, the remote IP shows up as the IP
> address assigned by the ISP?
>
Not quite like that - I just connect to the central gateway via secure
remote.
I then go a box behind the Nokia directly (don't think site-to-site VPN is
involved at this point).
The remote address shown up is the (private) IP assigned by the ISP though.
> Does the box running X behind the Nokia know how to route the ISP source
IP
> address back to the central gateway or will it route the source IP
address
> back to the Nokia gateway?
>
> My guess is it's routing the return traffic to the Nokia and not through
the
> site-to-site VPN with the central gateway, bu that certainly does not
> explain why the Office Mode IP is not being seen behind the Nokia. Maybe
> it's a clue, though.
>
That's something I'm not sure about: shouldn't the return traffic be routed
via the Nokia?
It doesn't have to go via the central gateway, right?
> Ray
>
>
> >From: [EMAIL PROTECTED]
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: Re: [FW-1] Secure Remote problem
> >Date: Mon, 6 Mar 2006 11:31:14 +0000
> >
> >Thanks for the replies.
> >
> >I should have been more specific. I do have a rule to allow X back but
the
> >problem is I can't even ping my client?
> >
> >Thanks,
> >
> >Huiqi
> >
> >
> >
> > Ronny Nussbaum
> > <[EMAIL PROTECTED]
> > AIL.COM>
To
> > Sent by: Mailing
[EMAIL PROTECTED]
> > list for INT.COM
> > discussion of
cc
> > Firewall-1
> > <FW-1-MAILINGLIST
Subject
> > @AMADEUS.US.CHECK Re: [FW-1] Secure Remote
problem
> > POINT.COM>
> >
> >
> > 03/03/2006 20:43
> >
> >
> > Please respond to
> > Mailing list for
> > discussion of
> > Firewall-1
> > <FW-1-MAILINGLIST
> > @AMADEUS.US.CHECK
> > POINT.COM>
> >
> >
> >
> >
> >
> >
> >Or you can make "X11" part of the "Any" group:
> >
> >-Policy menu
> >-Global Properties
> >-SmartDashboard Customization
> >-Stateful Inspection
> >-Check "reject_x11_in_any"
> >
> >-RoNNY
> >
> >On 3/3/06, Reinhard Stich <[EMAIL PROTECTED]> wrote:
> > > hi,
> > >
> > > X11 ist not part of the "any"-service - so please make a rule where
> > > you allow X11.
> > >
> > > cheers
> > > reinhard
> > >
> > > At 17:32 03.03.2006, you wrote:
> > > >I'm not sure if I've misunderstood something (not the first time),
or
> >what
> > > >else. Here is my problem:
> > > >
> > > >Configuration: one central gateway, and one Nokia enforcement
module.
> >Both
> > > >managed by the same smartcentre. Both on NG R55, running
Traditional
> >Mode
> > > >VPN. There is a site-to-site VPN between the two. Office Mode
> >configured
> > > >on central gateway.
> > > >
> > > >Problem: Connecting to the internal systems behind the Nokia - no
> >problem.
> > > >But I can't display back X, or even ping the client.
> > > >
> > > >I can connect to the central gateway and display back/ping the
client
> > > >without any problems.
> > > >
> > > >I noticed that when I connect to a system behind the central
gateway
> > > >(telnet), I can see the IP address of the client is the office mode
> > > >address.
> > > >
> > > >However, connecting to a system behind the Nokia, the IP address is
not
> >the
> > > >office mode address but the one assigned by the ISP router.
> > > >
> > > >The firewall rules appear to be OK, but the problem is the point
above
> >(the
> > > >office mode address isn't shown up).
> > > >
> > > >Any hints?
> > > >
> > > >Many thanks.
> > > >
> > > >Huiqi Liu
> > > >
> > > >=================================================
> > > >To set vacation, Out-Of-Office, or away messages,
> > > >send an email to [EMAIL PROTECTED]
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >[EMAIL PROTECTED]
> > > >=================================================
> > >
> > > --
> > > Reinhard Stich ASSIST [EMAIL PROTECTED]
> > > Internet Security AG, 1150 Wien, Johnstrasse 29
> > > Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [EMAIL PROTECTED]
> > > =================================================
> > >
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
