"And the native address is, as assigned by my ADSL router, 172.16.0.33. All
would be fine, if we didn't have 172.16/16 used internally as well. The
172.16/16 internal route appear on the laptop's routing table and somehow
this causes the communication to enc B to fail - no traffic turns up on
gateway B."
Ahh, now I think I almost have it. Is "B" where they are using 172/16?
What version of SecureClient are you using? Seems to me there was an issue
with this in some R56 variant and earlier (where Office Mode didn't fix this
situation even though it wa supposed to). I'm using SecureClient NGX R60
HFA01.
If you're not using dynamic interface resolving, try turning it on. It fixed
some other quirky problems we had.
I definitely do not have their encryption domain set up in mine and I'm
pretty sure they do not have mine in theirs.
Ray
From: [EMAIL PROTECTED]
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Secure Remote and Private IP conflict
Date: Thu, 18 Jan 2007 10:39:20 +0000
Ray,
You are almost right, so you are right about doing something wrong :-)
See comments below.
Mailing list for discussion of Firewall-1
<[email protected]> wrote on 18/01/2007 00:37:28:
> Well, if I understand this now, I must be doing something wrong. :-)
>
> 1. I connect to an R55 gateway in the US and get an Office Mode address.
Correct. Call this Site A.
>
> 2. Another R55 gateway in another country has a site-to-site VPN with
us.
> It's not managed by our SmartCenter.
Correct. Call this Site B.
>
> 3. I have full access to both my encryption domain and theirs using
> SecureClient remotely.
>
> The folks on the other side can connect to their gateway and fully
access
> our encryption domain as well. We do use hub mode and I use dynamic
> interface resolving.
>
> I can see their Office Mode addresses hitting our servers in the server
> logs.
>
That's where the problem is. When I connect to Site A, I can only access
the
encryption domain in Site A (call this enc A). When they connect to Site
B,
they can only access the encryption domain in Site B (call this enc B).
We aren't using hub mode.
And I don't see their office mode addresses hitting my firewall (or vice
versa).
You may already know this, but for clarification, I mention this anyway.
Office
mode address is only used to communicate with the respective encryption
domains.
So when I connect to Site A, I use office mode address to talk to enc A,
but use the
native address to talk to enc B. And the native address is, as assigned by
my ADSL
router, 172.16.0.33. All would be fine, if we didn't have 172.16/16 used
internally
as well. The 172.16/16 internal route appear on the laptop's routing table
and somehow
this causes the communication to enc B to fail - no traffic turns up on
gateway B.
I understand that in NGX, per-site office mode may fix this problem.
Thank you!
Huiqi
> Is this the same situation as you're describing?
>
> Ray
>
>
> >No we don't have a MEP configuration but yes site A and site B have a
> >site-to-site VPN.
> >
> > > What do you mean by "client"? The computer connecting by remote
access?
> >How
> > > is an ISP router supplying addresses to the remote access computer?
> > >
> >By the client, I meant the laptop connected via an ISP to the internet,
and
> >getting an NATed
> >DHCP address from the ISP router.
> >
> >
> >It looks like the only way forward is to upgrade to NGX, and use
per-site
> >office mode address assignment.
> >
> >Thanks!
> >
> > > Ray
> > >
> > > _________________________________________________________________
> > > The MSN Entertainment Guide to Golden Globes is here. Get all the
> >scoop.
> >
> > > http://tv.msn.com/tv/globes2007/?icid=nctagline2
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [EMAIL PROTECTED]
> > > =================================================
> > >
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
> _________________________________________________________________
> Get in the mood for Valentinesâ Day. View photos, recipes and more on
your
> Live.com page.
> http://www.live.com/?addTemplate=ValentinesDay&ocid=T001MSN30A0701
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
_________________________________________________________________
The MSN Entertainment Guide to Golden Globes is here. Get all the scoop.
http://tv.msn.com/tv/globes2007/?icid=nctagline2
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
