Right. You would need the Office mode per site function turned on for 1 OM address to traverse multiple gateways. We actually have that enabled and it works quite well. If the Smart Center is at least on NGX you can enable in the Global properties you just have to make sure the OM network is routed at each location. Also the OM antispoofing and assignment per user can not be used if this is enabled.
Jeremy Lieb CCSE+NGX, CCSE-NGX Firewall Administrator -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of LAN Guy Sent: Friday, September 07, 2007 2:04 PM To: [email protected] Subject: Re: [FW-1] Secure Client Routing Problem Not using OM because of issues connecting to multiple gateways. Normally, the client connects initially to the gateway at our HQ, which is the policy server. Then when they attempt to connect to a resource at the remote office (where the UTM-1 is), they're prompted to authenticate with the second gateway. When they do, they get a connection but the second gw (when I had OM turned on) wouldn't give them an OM address on the UTM gateway. > Date: Fri, 7 Sep 2007 10:23:09 -0400> From: [EMAIL PROTECTED]> Subject: Re: > [FW-1] Secure Client Routing Problem> To: > [email protected]> > You should be using Office mode > instead of IP Pool Nat and that should fix the issue. Are you doing so?> > > Jeremy Lieb CCSE+NGX, CCSE-NGX> Firewall Administrator> > > -----Original > Message-----> From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL > PROTECTED] On Behalf Of LAN Guy> Sent: Friday, September 07, 2007 9:10 AM> > To: [email protected]> Subject: [FW-1] Secure Client > Routing Problem> > I just set up a new UTM-1 gateway (NGX R62) and I'm > running into a secure client routing problem that I haven't seen on any of my > other gateways. The client connects, gets a pool nat IP address from the > gateway, packet reaches the destination server inside the encryption domain. > So far so good. Here's where it goes wrong: when the gateway receives the > return packe! t from the internal host, it tries to route it back to the *internal* address of the client (usually a 192.168.0.x, or a 10.x.x.x) rather than its external, public address. The result is that, if the client's private internal address (from a home or hotel network) happens to also exist on one of the internal nets behind the firewall (not unlikely), the packet gets misrouted by the gateway and the client never gets it. > > A CheckPoint tech told me on the phone not to use the same IP range on the client network that might exist on the destination side. That seems ridiculous, given the fact that I can't control the private IP ranges used by every hotel, home, and hotspot network on the planet. There's got to be a workaround. Anyone have a solution??> > Thanks.> > _________________________________________________________________> Kick back and relax with hot games and cool activities at the Messenger Café.> http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLtagline> ===========! ======================================> To set vacation, Out-Of-Office , or away messages,> send an email to [EMAIL PROTECTED]> in the BODY of the email add:> set fw-1-mailinglist nomail> =================================================> To unsubscribe from this mailing list,> please see the instructions at> http://www.checkpoint.com/services/mailing.html> =================================================> If you have any questions on how to change your> subscription options, email> [EMAIL PROTECTED]> =================================================> > =================================================> To set vacation, Out-Of-Office, or away messages,> send an email to [EMAIL PROTECTED]> in the BODY of the email add:> set fw-1-mailinglist nomail> =================================================> To unsubscribe from this mailing list,> please see the instructions at> http://www.checkpoint.com/services/mailing.html> =================================================> If you have any questions on how ! to change your> subscription options, email> [EMAIL PROTECTED]> ================================================= _________________________________________________________________ Kick back and relax with hot games and cool activities at the Messenger Café. http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLtagline ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
