Re: Secure Client Routing Problem

Email lists > CheckPoint Firewall-1 discussion

Thread: Re: Secure Client Routing Problem

Search this list only Search all lists
Re: Secure Client Routing Problem
United States	2007-09-07 14:39:37
Can you point me to documentation on this? (The officemode per site function, so that a office mode ip can traverse multiple gateways). In the past the only way I have gotten this working correctly is to use vpn routing. Ted -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM] On Behalf Of Jeremy Lieb Sent: Friday, September 07, 2007 2:20 PM To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Secure Client Routing Problem Right. You would need the Office mode per site function turned on for 1 OM address to traverse multiple gateways. We actually have that enabled and it works quite well. If the Smart Center is at least on NGX you can enable in the Global properties you just have to make sure the OM network is routed at each location. Also the OM antispoofing and assignment per user can not be used if this is enabled. Jeremy Lieb CCSE+NGX, CCSE-NGX Firewall Administrator -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM] On Behalf Of LAN Guy Sent: Friday, September 07, 2007 2:04 PM To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Secure Client Routing Problem Not using OM because of issues connecting to multiple gateways. Normally, the client connects initially to the gateway at our HQ, which is the policy server. Then when they attempt to connect to a resource at the remote office (where the UTM-1 is), they're prompted to authenticate with the second gateway. When they do, they get a connection but the second gw (when I had OM turned on) wouldn't give them an OM address on the UTM gateway. > Date: Fri, 7 Sep 2007 10:23:09 -0400> From: jliebOPENTEXT.COM> Subject: Re: [FW-1] Secure Client Routing Problem> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> > You should be using Office mode instead of IP Pool Nat and that should fix the issue. Are you doing so?> > Jeremy Lieb CCSE+NGX, CCSE-NGX> Firewall Administrator> > > -----Original Message-----> From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM] On Behalf Of LAN Guy> Sent: Friday, September 07, 2007 9:10 AM> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> Subject: [FW-1] Secure Client Routing Problem> > I just set up a new UTM-1 gateway (NGX R62) and I'm running into a secure client routing problem that I haven't seen on any of my other gateways. The client connects, gets a pool nat IP address from the gateway, packet reaches the destination server inside the encryption domain. So far so good. Here's where it goes wrong: when the gateway receives the return packe! t from the internal host, it tries to route it back to the internal address of the client (usually a 192.168.0.x, or a 10.x.x.x) rather than its external, public address. The result is that, if the client's private internal address (from a home or hotel network) happens to also exist on one of the internal nets behind the firewall (not unlikely), the packet gets misrouted by the gateway and the client never gets it. > > A CheckPoint tech told me on the phone not to use the same IP range on the client network that might exist on the destination side. That seems ridiculous, given the fact that I can't control the private IP ranges used by every hotel, home, and hotspot network on the planet. There's got to be a workaround. Anyone have a solution??> > Thanks.> > ____________________________________________________________ _____> Kick back and relax with hot games and cool activities at the Messenger Café.> http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLt agline> ===========! ======================================> To set vacation, Out-Of-Office , or away messages,> send an email to LISTSERVamadeus.us.checkpoint.com> in the BODY of the email add:> set fw-1-mailinglist nomail> =================================================> To unsubscribe from this mailing list,> please see the instructions at> h ttp://www.checkpoint.com/services/mailing.html> =================================================> If you have any questions on how to change your> subscription options, email> fw-1-ownerts.checkpoint.com> =================================================> > =================================================> To set vacation, Out-Of-Office, or away messages,> send an email to LISTSERVamadeus.us.checkpoint.com> in the BODY of the email add:> set fw-1-mailinglist nomail> =================================================> To unsubscribe from this mailing list,> please see the instructions at> h ttp://www.checkpoint.com/services/mailing.html> =================================================> If you have any questions on how ! to change your> subscription options, email> fw-1-ownerts.checkpoint.com> ================================================= ____________________________________________________________ _____ Kick back and relax with hot games and cool activities at the Messenger Café. http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLtagli ne ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to LISTSERVamadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http: //www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ownerts.checkpoint.com =================================================

[1]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists