Secure Client Routing Problem

Email lists > CheckPoint Firewall-1 discussion

Thread: Secure Client Routing Problem

Search this list only Search all lists
Secure Client Routing Problem
United States	2007-09-07 09:09:41
I just set up a new UTM-1 gateway (NGX R62) and I'm running into a secure client routing problem that I haven't seen on any of my other gateways. The client connects, gets a pool nat IP address from the gateway, packet reaches the destination server inside the encryption domain. So far so good. Here's where it goes wrong: when the gateway receives the return packet from the internal host, it tries to route it back to the internal address of the client (usually a 192.168.0.x, or a 10.x.x.x) rather than its external, public address. The result is that, if the client's private internal address (from a home or hotel network) happens to also exist on one of the internal nets behind the firewall (not unlikely), the packet gets misrouted by the gateway and the client never gets it. A CheckPoint tech told me on the phone not to use the same IP range on the client network that might exist on the destination side. That seems ridiculous, given the fact that I can't control the private IP ranges used by every hotel, home, and hotspot network on the planet. There's got to be a workaround. Anyone have a solution?? Thanks. ____________________________________________________________ _____ Kick back and relax with hot games and cool activities at the Messenger Café. http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLtagli ne ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

Re: Secure Client Routing Problem
	2007-09-07 09:23:09
You should be using Office mode instead of IP Pool Nat and that should fix the issue. Are you doing so? Jeremy Lieb CCSE+NGX, CCSE-NGX Firewall Administrator -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM] On Behalf Of LAN Guy Sent: Friday, September 07, 2007 9:10 AM To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM Subject: [FW-1] Secure Client Routing Problem I just set up a new UTM-1 gateway (NGX R62) and I'm running into a secure client routing problem that I haven't seen on any of my other gateways. The client connects, gets a pool nat IP address from the gateway, packet reaches the destination server inside the encryption domain. So far so good. Here's where it goes wrong: when the gateway receives the return packet from the internal host, it tries to route it back to the internal address of the client (usually a 192.168.0.x, or a 10.x.x.x) rather than its external, public address. The result is that, if the client's private internal address (from a home or hotel network) happens to also exist on one of the internal nets behind the firewall (not unlikely), the packet gets misrouted by the gateway and the client never gets it. A CheckPoint tech told me on the phone not to use the same IP range on the client network that might exist on the destination side. That seems ridiculous, given the fact that I can't control the private IP ranges used by every hotel, home, and hotspot network on the planet. There's got to be a workaround. Anyone have a solution?? Thanks. ____________________________________________________________ _____ Kick back and relax with hot games and cool activities at the Messenger Café. http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLtagli ne ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists