Thanks again, Ray.
That does help me to understand it.
Got this to work - though it turned out quite simple:
- Connect to SPLAT on the internet and get an office mode address (though
OM isn't really the issue here, just confused it!)
- Login to a X box behind the Nokia (e.g., telnet)
- set DISPLAY back to the client's ISP assigned address (private address),
not the OM address)
- add appropriate rule to allow X out (to the internet) on the Nokia box
That's it.
Huiqi
Ray
<[EMAIL PROTECTED]
IL.COM> To
Sent by: Mailing [EMAIL PROTECTED]
list for INT.COM
discussion of cc
Firewall-1
<FW-1-MAILINGLIST Subject
@AMADEUS.US.CHECK Re: [FW-1] Secure Remote problem
POINT.COM>
07/03/2006 15:30
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
In order for you to connect to the SPLAT box by SecureClient and access the
LAN behind the Nokia box, the LAN of the Nokia box must be part of the VPN
Domain of the SPLAT box. Is it?
Likewise, is the LAN behind the SPLAT box part of the VPN Domain of the
Nokia box?
SecureClient (and site-to-site VPNs) use the VPN Domain definition to know
what traffic needs to be encrypted and sent down the VPN tunnel.
You could make the Office Mode network part of the VPN Domain of the SPLAT
box, and as long as the Nokia box also knows it, that would route the
traffic correctly. There are conflicting articles in Check Point's
SecureKnowledge as to whether the Office Mode network should or should not
be part of the VPN domain. I do not have it part of my VPN domain.
The Office Mode network needs to be a subnet that you're not using anywhere
internally. Is this true?
With simplified mode, you should have NAT disabled within the VPN
community.
I don't know how to do that in traditional mode. Do you know if it is
disabled between the SPLAT LAN and the Nokia LAN?
As I recall, an X connection from the server to the client (SecureClient
laptop) is a totally new connection, technically not part of the
originating
connection. That's why it's important that the routing on the Nokia know to
send the Office Mode traffic down the site-to-site VPN to the SPLAT box.
>When I connect to the central gw (SPLAT), and I do a traceroute to the X
>box,
>it has just two hops: first hop is the Nokia box (doesn't go via the
>SPLAT).
It is going via the SPLAT box; it just doesn't show up in the traceroute.
If
it wasn't, the Nokia would not show up as the first hop.
Does this help?
Ray
>From: [EMAIL PROTECTED]
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] Secure Remote problem
>Date: Tue, 7 Mar 2006 10:31:31 +0000
>
>Thanks again, Ray.
>
>Huiqi
>
>Mailing list for discussion of Firewall-1
><[email protected]> wrote on 06/03/2006 18:13:35:
>
> > >Not quite like that - I just connect to the central gateway via secure
> > >remote.
> > >I then go a box behind the Nokia directly (don't think site-to-site
VPN
>is
> > >involved at this point).
> > >The remote address shown up is the (private) IP assigned by the ISP
>though.
> >
> > If the remote traffic is not going to the LAN-behind-Nokia via the
> > site-to-site VPN, how does it get there? Is there also some type of WAN
> > connection in addition to the site-to-site VPN?
> >
>I guess here is where my ignorance shows: there isn't a WAN connection
>between
>the two sites, just site-to-site VPN.
>
>When I connect to the central gw (SPLAT), and I do a traceroute to the X
>box,
>it has just two hops: first hop is the Nokia box (doesn't go via the
>SPLAT).
>
>The return traffic, which never arrives, stops at the Nokia box
(disappears
>into
>the internet using the default gateway).
>
>Only the SPLAT box offers Office Mode - the Nokia doesn't.
>
>The office mode network isn't in the encryption domain on the SPLAT - is
>this
>the problem? I can't add a route on the Nokia for OM net to go to the
>SPLAT as
>it is only using static routes.
>
> > Are you using SecuRemote or SecureClient? Office Mode is only supported
>by
> > SecureClient. I know some people figured out that some versions of
> > SecuRemote can work with Office Mode, but you have to imagine that
Check
> > Point will eventually fix that bug.
> >
>I'm using Secure Client.
>
> > >That's something I'm not sure about: shouldn't the return traffic be
>routed
> > >via the Nokia?
> > >It doesn't have to go via the central gateway, right?
> >
> > If you're connecting from the Internet to the central gateway, then all
> > return traffic must be routed out the same gateway you connected to.
>When
>
> > you're using Office Mode and have multiple Internet gateways, you need
>to
>
> > put in a route on all routers so Office Mode IP addresses are routed
out
>the
> > same gateway that they came from. If you're using multiple gateways and
>all
> > are configured for Office Mode, I think they all have to use different
> > Office Mode subnets.
> >
> > If you get on the X box remotely, like by SSH, perform a traceroute to
>an
>
> > Office Mode address and see how it routes.
> >
> > >The remote address shown up is the (private) IP assigned by the ISP
>though.
> >
> > So your ISP is assigning a private IP address to its customers?
>Yeah - the ISP in question here is my "test" ISP (as if I'm working from
>home).
> >
> > Sorry for more questions. I just want to make sure I understand your
> > topology.
> >
> > Ray
> >
> > >From: [EMAIL PROTECTED]
> > >Reply-To: Mailing list for discussion of Firewall-1
> > ><[email protected]>
> > >To: [email protected]
> > >Subject: Re: [FW-1] Secure Remote problem
> > >Date: Mon, 6 Mar 2006 16:35:13 +0000
> > >
> > >Thanks Ray. My response below.
> > >
> > >Huiqi
> > >
> > >Mailing list for discussion of Firewall-1
> > ><[email protected]> wrote on 06/03/2006
>15:21:13:
> > >
> > > > So when you connect remotely to a box behind the central gateway,
>the
> > >remote
> > > > IP shows up as the Office Mode address?
> > > >
> > >That's correct.
> > >
> > > > But when you connect to the central gateway remotely and go to a
box
> > >behind
> > > > the Nokia using the site-to-site VPN, the remote IP shows up as the
>IP
> > > > address assigned by the ISP?
> > > >
> > >Not quite like that - I just connect to the central gateway via secure
> > >remote.
> > >I then go a box behind the Nokia directly (don't think site-to-site
VPN
>is
> > >involved at this point).
> > >The remote address shown up is the (private) IP assigned by the ISP
>though.
> > >
> > > > Does the box running X behind the Nokia know how to route the ISP
>source
> > >IP
> > > > address back to the central gateway or will it route the source IP
> > >address
> > > > back to the Nokia gateway?
> > > >
> > > > My guess is it's routing the return traffic to the Nokia and not
>through
> > >the
> > > > site-to-site VPN with the central gateway, bu that certainly does
>not
> > > > explain why the Office Mode IP is not being seen behind the Nokia.
>Maybe
> > > > it's a clue, though.
> > > >
> > >That's something I'm not sure about: shouldn't the return traffic be
>routed
> > >via the Nokia?
> > >It doesn't have to go via the central gateway, right?
> > >
> > > > Ray
> > > >
> > > >
> > > > >From: [EMAIL PROTECTED]
> > > > >Reply-To: Mailing list for discussion of Firewall-1
> > > > ><[email protected]>
> > > > >To: [email protected]
> > > > >Subject: Re: [FW-1] Secure Remote problem
> > > > >Date: Mon, 6 Mar 2006 11:31:14 +0000
> > > > >
> > > > >Thanks for the replies.
> > > > >
> > > > >I should have been more specific. I do have a rule to allow X
back
>but
> > >the
> > > > >problem is I can't even ping my client?
> > > > >
> > > > >Thanks,
> > > > >
> > > > >Huiqi
> > > > >
> > > > >
> > > > >
> > > > > Ronny Nussbaum
> > > > > <[EMAIL PROTECTED]
> > > > > AIL.COM>
> > >To
> > > > > Sent by: Mailing
> > >[EMAIL PROTECTED]
> > > > > list for INT.COM
> > > > > discussion of
> > >cc
> > > > > Firewall-1
> > > > > <FW-1-MAILINGLIST
> > >Subject
> > > > > @AMADEUS.US.CHECK Re: [FW-1] Secure Remote
> > >problem
> > > > > POINT.COM>
> > > > >
> > > > >
> > > > > 03/03/2006 20:43
> > > > >
> > > > >
> > > > > Please respond to
> > > > > Mailing list for
> > > > > discussion of
> > > > > Firewall-1
> > > > > <FW-1-MAILINGLIST
> > > > > @AMADEUS.US.CHECK
> > > > > POINT.COM>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >Or you can make "X11" part of the "Any" group:
> > > > >
> > > > >-Policy menu
> > > > >-Global Properties
> > > > >-SmartDashboard Customization
> > > > >-Stateful Inspection
> > > > >-Check "reject_x11_in_any"
> > > > >
> > > > >-RoNNY
> > > > >
> > > > >On 3/3/06, Reinhard Stich <[EMAIL PROTECTED]> wrote:
> > > > > > hi,
> > > > > >
> > > > > > X11 ist not part of the "any"-service - so please make a rule
>where
> > > > > > you allow X11.
> > > > > >
> > > > > > cheers
> > > > > > reinhard
> > > > > >
> > > > > > At 17:32 03.03.2006, you wrote:
> > > > > > >I'm not sure if I've misunderstood something (not the first
>time),
> > >or
> > > > >what
> > > > > > >else. Here is my problem:
> > > > > > >
> > > > > > >Configuration: one central gateway, and one Nokia enforcement
> > >module.
> > > > >Both
> > > > > > >managed by the same smartcentre. Both on NG R55, running
> > >Traditional
> > > > >Mode
> > > > > > >VPN. There is a site-to-site VPN between the two. Office
Mode
> > > > >configured
> > > > > > >on central gateway.
> > > > > > >
> > > > > > >Problem: Connecting to the internal systems behind the Nokia -
>no
> > > > >problem.
> > > > > > >But I can't display back X, or even ping the client.
> > > > > > >
> > > > > > >I can connect to the central gateway and display back/ping the
> > >client
> > > > > > >without any problems.
> > > > > > >
> > > > > > >I noticed that when I connect to a system behind the central
> > >gateway
> > > > > > >(telnet), I can see the IP address of the client is the office
>mode
> > > > > > >address.
> > > > > > >
> > > > > > >However, connecting to a system behind the Nokia, the IP
>address
>is
> > >not
> > > > >the
> > > > > > >office mode address but the one assigned by the ISP router.
> > > > > > >
> > > > > > >The firewall rules appear to be OK, but the problem is the
>point
> > >above
> > > > >(the
> > > > > > >office mode address isn't shown up).
> > > > > > >
> > > > > > >Any hints?
> > > > > > >
> > > > > > >Many thanks.
> > > > > > >
> > > > > > >Huiqi Liu
> > > > > > >
> > > > > > >=================================================
> > > > > > >To set vacation, Out-Of-Office, or away messages,
> > > > > > >send an email to [EMAIL PROTECTED]
> > > > > > >in the BODY of the email add:
> > > > > > >set fw-1-mailinglist nomail
> > > > > > >=================================================
> > > > > > >To unsubscribe from this mailing list,
> > > > > > >please see the instructions at
> > > > > > >http://www.checkpoint.com/services/mailing.html
> > > > > > >=================================================
> > > > > > >If you have any questions on how to change your
> > > > > > >subscription options, email
> > > > > > >[EMAIL PROTECTED]
> > > > > > >=================================================
> > > > > >
> > > > > > --
> > > > > > Reinhard Stich ASSIST [EMAIL PROTECTED]
> > > > > > Internet Security AG, 1150 Wien, Johnstrasse 29
> > > > > > Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
> > > > > >
> > > > > > =================================================
> > > > > > To set vacation, Out-Of-Office, or away messages,
> > > > > > send an email to [EMAIL PROTECTED]
> > > > > > in the BODY of the email add:
> > > > > > set fw-1-mailinglist nomail
> > > > > > =================================================
> > > > > > To unsubscribe from this mailing list,
> > > > > > please see the instructions at
> > > > > > http://www.checkpoint.com/services/mailing.html
> > > > > > =================================================
> > > > > > If you have any questions on how to change your
> > > > > > subscription options, email
> > > > > > [EMAIL PROTECTED]
> > > > > > =================================================
> > > > > >
> > > > >
> > > > >=================================================
> > > > >To set vacation, Out-Of-Office, or away messages,
> > > > >send an email to [EMAIL PROTECTED]
> > > > >in the BODY of the email add:
> > > > >set fw-1-mailinglist nomail
> > > > >=================================================
> > > > >To unsubscribe from this mailing list,
> > > > >please see the instructions at
> > > > >http://www.checkpoint.com/services/mailing.html
> > > > >=================================================
> > > > >If you have any questions on how to change your
> > > > >subscription options, email
> > > > >[EMAIL PROTECTED]
> > > > >=================================================
> > > > >
> > > > >=================================================
> > > > >To set vacation, Out-Of-Office, or away messages,
> > > > >send an email to [EMAIL PROTECTED]
> > > > >in the BODY of the email add:
> > > > >set fw-1-mailinglist nomail
> > > > >=================================================
> > > > >To unsubscribe from this mailing list,
> > > > >please see the instructions at
> > > > >http://www.checkpoint.com/services/mailing.html
> > > > >=================================================
> > > > >If you have any questions on how to change your
> > > > >subscription options, email
> > > > >[EMAIL PROTECTED]
> > > > >=================================================
> > > >
> > > > =================================================
> > > > To set vacation, Out-Of-Office, or away messages,
> > > > send an email to [EMAIL PROTECTED]
> > > > in the BODY of the email add:
> > > > set fw-1-mailinglist nomail
> > > > =================================================
> > > > To unsubscribe from this mailing list,
> > > > please see the instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > > =================================================
> > > > If you have any questions on how to change your
> > > > subscription options, email
> > > > [EMAIL PROTECTED]
> > > > =================================================
> > > >
> > >
> > >=================================================
> > >To set vacation, Out-Of-Office, or away messages,
> > >send an email to [EMAIL PROTECTED]
> > >in the BODY of the email add:
> > >set fw-1-mailinglist nomail
> > >=================================================
> > >To unsubscribe from this mailing list,
> > >please see the instructions at
> > >http://www.checkpoint.com/services/mailing.html
> > >=================================================
> > >If you have any questions on how to change your
> > >subscription options, email
> > >[EMAIL PROTECTED]
> > >=================================================
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [EMAIL PROTECTED]
> > =================================================
> >
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
