|
List Info
Thread: Connections from encryption domain to SecureClient
|
|
| Connections from encryption domain to
SecureClient |
|
2007-09-04 15:22:20 |
I need to allow connections from our lan to SecureClient. I
have created an
IP NAT Pool, and applied it to SecureClient connections. A
sniffer on the
local lan shows traffic from the SecureClient is indeed
being NAT'ed behind
this pool. However, if we try to connect to the
SecureClient from the LAN,
we don't get a response. SmartView Tracker shows the
traffic is being
encrypted, however the SecureClient log viewer shows a VPN
Error 01. A
quick search of SecureKnowledge yeilded an article that says
to create a
rule in Address Translation that prevents NAT'ing on this
outbound traffic.
When I apply this rule, I get the VPN Error 01 in SmartView
Tracker and the
action is no longer Encrypt.
I'm running NG AI R55 HFA19 on the gateway and SecureClient
R56 build 269 on
the mobile.
Can anyone give me pointers on how to get traffic initiated
in the
encryption domain back to a SecureClient?
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Re: Connections from encryption domain
to SecureClient |
|
2007-09-04 16:36:46 |
I believe instead of IP Pool NAT, what you need is Office
Mode.
You can find details about it in the VPN pdf document you
will find in your
installation disks and is also available at the Check Point
website.
Regards
On 9/4/07, Wayne Keatts <bu93y35gmail.com> wrote:
>
> I need to allow connections from our lan to
SecureClient. I have created
> an
> IP NAT Pool, and applied it to SecureClient
connections. A sniffer on the
> local lan shows traffic from the SecureClient is indeed
being NAT'ed
> behind
> this pool. However, if we try to connect to the
SecureClient from the
> LAN,
> we don't get a response. SmartView Tracker shows the
traffic is being
> encrypted, however the SecureClient log viewer shows a
VPN Error 01. A
> quick search of SecureKnowledge yeilded an article that
says to create a
> rule in Address Translation that prevents NAT'ing on
this outbound
> traffic.
> When I apply this rule, I get the VPN Error 01 in
SmartView Tracker and
> the
> action is no longer Encrypt.
>
> I'm running NG AI R55 HFA19 on the gateway and
SecureClient R56 build 269
> on
> the mobile.
>
> Can anyone give me pointers on how to get traffic
initiated in the
> encryption domain back to a SecureClient?
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Re: Connections from encryption domain
to SecureClient |
 
Netherlands |
2007-09-04 17:00:33 |
On Tue, 4 Sep 2007, Sergio Alvarez wrote:
> I believe instead of IP Pool NAT, what you need is
Office Mode.
>
> You can find details about it in the VPN pdf document
you will find in your
> installation disks and is also available at the Check
Point website.
There is a limitation. back connections to SecureClient over
visitor mode
connections is not fully supported. When we ran into this we
ended up by
filing a feature request. So I very much doubt it will work
perfectly for
any current version of Check Point.
Check Point claimed it takes too much CPU cycles from the
firewall to do
this. (I can vouch for the fact that visitor mode needs
significantly
more CPU cycles compared to normal NAT traversal Seen it on
many
installations.)
Hugo.
--
hvdkooijvanderkooij.org http://hugo.vanderkooij.
org/
This message is using 100% recycled electrons.
Some men see computers as they are and say
"Windows"
I use computers with Linux and say "Why
Windows?"
(Thanks JFK, for this quote of George Bernard Shaw.)
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Re: Connections from encryption domain
to SecureClient |
|
2007-09-04 17:44:59 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wayne Keatts <bu93y35GMAIL.COM> wrote:
>
> I need to allow connections from our lan to
SecureClient. I have
> created an IP NAT Pool, and applied it to SecureClient
connections. A
> sniffer on the local lan shows traffic from the
SecureClient is indeed
> being NAT'ed behind this pool. However, if we try to
connect to the
> SecureClient from the LAN, we don't get a response.
SecuRemote (and SecureClient without Office Mode) uses Hide
NAT, which
only works in one direction, from outside to inside. The
reverse di-
rection is not possible without Office Mode, as others have
pointed out.
- --
David DeSimone == Network Admin == foxverio.net
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFG3d/rFSrKRjX5eCoRAs9mAKCVHb08989iUW2FZRLxr/CPiJnOUwCg
nSIr
5XftmXRxO206Simvs0mBwe0=
=2ObS
-----END PGP SIGNATURE-----
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
[1-4]
|
|