Not using OM because of issues connecting to multiple
gateways. Normally, the client connects initially to the
gateway at our HQ, which is the policy server. Then when
they attempt to connect to a resource at the remote office
(where the UTM-1 is), they're prompted to authenticate with
the second gateway. When they do, they get a connection but
the second gw (when I had OM turned on) wouldn't give them
an OM address on the UTM gateway.
> Date: Fri, 7 Sep 2007 10:23:09 -0400> From:
jlieb OPENTEXT.COM> Subject: Re: [FW-1] Secure Client
Routing Problem> To: FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> > You should be
using Office mode instead of IP Pool Nat and that should fix
the issue. Are you doing so?> > Jeremy Lieb CCSE+NGX,
CCSE-NGX> Firewall Administrator> > >
-----Original Message-----> From: Mailing list for
discussion of Firewall-1 [mailto:FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM] On Behalf Of LAN Guy>
Sent: Friday, September 07, 2007 9:10 AM> To:
FW-1-MAILINGLISTAMADEUS.US.CHECKPOINT.COM> Subject:
[FW-1] Secure Client Routing Problem> > I just set up
a new UTM-1 gateway (NGX R62) and I'm running into a secure
client routing problem that I haven't seen on any of my
other gateways. The client connects, gets a pool nat IP
address from the gateway, packet reaches the destination
server inside the encryption domain. So far so good. Here's
where it goes wrong: when the gateway receives the return
packe!
t from the internal host, it tries to route it back to the
*internal* address of the client (usually a 192.168.0.x, or
a 10.x.x.x) rather than its external, public address. The
result is that, if the client's private internal address
(from a home or hotel network) happens to also exist on one
of the internal nets behind the firewall (not unlikely), the
packet gets misrouted by the gateway and the client never
gets it. > > A CheckPoint tech told me on the phone
not to use the same IP range on the client network that
might exist on the destination side. That seems ridiculous,
given the fact that I can't control the private IP ranges
used by every hotel, home, and hotspot network on the
planet. There's got to be a workaround. Anyone have a
solution??> > Thanks.> >
____________________________________________________________
_____> Kick back and relax with hot games and cool
activities at the Messenger Café.> http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLt
agline> ===========!
======================================> To set vacation,
Out-Of-Office
, or away messages,> send an email to LISTSERVamadeus.us.checkpoint.com> in the BODY of the
email add:> set fw-1-mailinglist nomail>
=================================================> To
unsubscribe from this mailing list,> please see the
instructions at> h
ttp://www.checkpoint.com/services/mailing.html>
=================================================> If you
have any questions on how to change your> subscription
options, email> fw-1-ownerts.checkpoint.com>
=================================================> >
=================================================> To set
vacation, Out-Of-Office, or away messages,> send an email
to LISTSERVamadeus.us.checkpoint.com> in the BODY of the
email add:> set fw-1-mailinglist nomail>
=================================================> To
unsubscribe from this mailing list,> please see the
instructions at> h
ttp://www.checkpoint.com/services/mailing.html>
=================================================> If you
have any questions on how !
to change your> subscription options, email>
fw-1-ownerts.checkpoint.com>
=================================================
____________________________________________________________
_____
Kick back and relax with hot games and cool activities at
the Messenger Café.
http://www.cafemessenger.com?ocid=TXT_TAGLM_SeptWLtagli
ne
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
