Thanks Ray. My response below. Huiqi
Mailing list for discussion of Firewall-1 <[email protected]> wrote on 06/03/2006 15:21:13: > So when you connect remotely to a box behind the central gateway, the remote > IP shows up as the Office Mode address? > That's correct. > But when you connect to the central gateway remotely and go to a box behind > the Nokia using the site-to-site VPN, the remote IP shows up as the IP > address assigned by the ISP? > Not quite like that - I just connect to the central gateway via secure remote. I then go a box behind the Nokia directly (don't think site-to-site VPN is involved at this point). The remote address shown up is the (private) IP assigned by the ISP though. > Does the box running X behind the Nokia know how to route the ISP source IP > address back to the central gateway or will it route the source IP address > back to the Nokia gateway? > > My guess is it's routing the return traffic to the Nokia and not through the > site-to-site VPN with the central gateway, bu that certainly does not > explain why the Office Mode IP is not being seen behind the Nokia. Maybe > it's a clue, though. > That's something I'm not sure about: shouldn't the return traffic be routed via the Nokia? It doesn't have to go via the central gateway, right? > Ray > > > >From: [EMAIL PROTECTED] > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] Secure Remote problem > >Date: Mon, 6 Mar 2006 11:31:14 +0000 > > > >Thanks for the replies. > > > >I should have been more specific. I do have a rule to allow X back but the > >problem is I can't even ping my client? > > > >Thanks, > > > >Huiqi > > > > > > > > Ronny Nussbaum > > <[EMAIL PROTECTED] > > AIL.COM> To > > Sent by: Mailing [EMAIL PROTECTED] > > list for INT.COM > > discussion of cc > > Firewall-1 > > <FW-1-MAILINGLIST Subject > > @AMADEUS.US.CHECK Re: [FW-1] Secure Remote problem > > POINT.COM> > > > > > > 03/03/2006 20:43 > > > > > > Please respond to > > Mailing list for > > discussion of > > Firewall-1 > > <FW-1-MAILINGLIST > > @AMADEUS.US.CHECK > > POINT.COM> > > > > > > > > > > > > > >Or you can make "X11" part of the "Any" group: > > > >-Policy menu > >-Global Properties > >-SmartDashboard Customization > >-Stateful Inspection > >-Check "reject_x11_in_any" > > > >-RoNNY > > > >On 3/3/06, Reinhard Stich <[EMAIL PROTECTED]> wrote: > > > hi, > > > > > > X11 ist not part of the "any"-service - so please make a rule where > > > you allow X11. > > > > > > cheers > > > reinhard > > > > > > At 17:32 03.03.2006, you wrote: > > > >I'm not sure if I've misunderstood something (not the first time), or > >what > > > >else. Here is my problem: > > > > > > > >Configuration: one central gateway, and one Nokia enforcement module. > >Both > > > >managed by the same smartcentre. Both on NG R55, running Traditional > >Mode > > > >VPN. There is a site-to-site VPN between the two. Office Mode > >configured > > > >on central gateway. > > > > > > > >Problem: Connecting to the internal systems behind the Nokia - no > >problem. > > > >But I can't display back X, or even ping the client. > > > > > > > >I can connect to the central gateway and display back/ping the client > > > >without any problems. > > > > > > > >I noticed that when I connect to a system behind the central gateway > > > >(telnet), I can see the IP address of the client is the office mode > > > >address. > > > > > > > >However, connecting to a system behind the Nokia, the IP address is not > >the > > > >office mode address but the one assigned by the ISP router. > > > > > > > >The firewall rules appear to be OK, but the problem is the point above > >(the > > > >office mode address isn't shown up). > > > > > > > >Any hints? > > > > > > > >Many thanks. > > > > > > > >Huiqi Liu > > > > > > > >================================================= > > > >To set vacation, Out-Of-Office, or away messages, > > > >send an email to [EMAIL PROTECTED] > > > >in the BODY of the email add: > > > >set fw-1-mailinglist nomail > > > >================================================= > > > >To unsubscribe from this mailing list, > > > >please see the instructions at > > > >http://www.checkpoint.com/services/mailing.html > > > >================================================= > > > >If you have any questions on how to change your > > > >subscription options, email > > > >[EMAIL PROTECTED] > > > >================================================= > > > > > > -- > > > Reinhard Stich ASSIST [EMAIL PROTECTED] > > > Internet Security AG, 1150 Wien, Johnstrasse 29 > > > Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
