You should be using Office mode instead of IP Pool Nat and that should fix the issue. Are you doing so?
Jeremy Lieb CCSE+NGX, CCSE-NGX Firewall Administrator -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of LAN Guy Sent: Friday, September 07, 2007 9:10 AM To: [email protected] Subject: [FW-1] Secure Client Routing Problem I just set up a new UTM-1 gateway (NGX R62) and I'm running into a secure client routing problem that I haven't seen on any of my other gateways. The client connects, gets a pool nat IP address from the gateway, packet reaches the destination server inside the encryption domain. So far so good. Here's where it goes wrong: when the gateway receives the return packet from the internal host, it tries to route it back to the *internal* address of the client (usually a 192.168.0.x, or a 10.x.x.x) rather than its external, public address. The result is that, if the client's private internal address (from a home or hotel network) happens to also exist on one of the internal nets behind the firewall (not unlikely), the packet gets misrouted by the gateway and the client never gets it. A CheckPoint tech told me on the phone not to use the same IP range on the client network that might exist on the destination side. That seems ridiculous, given the fact that I can't control the private IP ranges used by every hotel, home, and hotspot network on the planet. There's got to be a workaround. Anyone have a solution?? Thanks. _________________________________________________________________ Kick back and relax with hot games and cool activities at the Messenger Café. http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLtagline ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
