[FW-1]

Subject:	[FW-1]
From:	harptech AT OPTUSNET.COM DOT AU
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Sun, 22 Feb 2004 22:43:53 +1100

Hi,

        Can anyone offer any advice on the problem detailed below?


Layout:

I've been asked to look at a problem where a client PC cannot set up a HTTPS
connection. Here is the topology. the platform is Nt4 running NG FP1. Currently
two ISP's are used whilst changing from one to the other. Most services, E-mail
etc are still provided by the old ISP.



     Interface          Address                         Comment

        1       xxx.xxx.xxx.xxx/24 (invalid)     External to (old)ISP
        2       192.168.37.1/24                  Private
segment
        3       xxx.xxx.xxx.xxx/29 (valid)       External to new ISP
        4       192.168.27.1/24                  Internal LAN
        5       192.168.52.0 /16                 Number of Remote offices
via a Network supplier




Interface 5 is specifed as a group (of networks) on the firewall object. This 
router
connects, via other routers, 8 distinct remote sites. These sites all form part 
of the
same Win2k Domain and Active directory runs across them. I have no visibility of
the routers.

Problem:

Cannot set up a https link from one of the remote sites off interface 5. For 
example
a network addressed as 192.168.82.0/24. A user on the Local Lan wishes to
create a HTTPS link. First they connect to the proxy on the Local Lan. The proxy
sets up the connection and then hands it back to the client with no problems
(uses interface 1 which provides the hide address for the Lan). A client PC on 
one
of the remote Lans, for example off 192.168.82.0/24 connects to the proxy on the
Local Lan. The proxy initiates the connection and then hands it back to the 
client.
The client tries to open the handshake with the remote site but never suceeds. 
So
far I have tried bypassing the proxy, adding manual NAT rules, rutes etc all 
without
any success. Can anyone offer any pointers?

So the initial connection looks like this using example IP addresses


192.168.82.31/24 -->Interface 5 -->Interface 4 -->Proxy -->Interface 1 -->Remote
site via ISP

Once handed across

192.168.82.31/24 -->Interface 5 -->Interface 1 -->Remote Site via ISP


Note normal connections (ie HTTP which run through the proxy are fine and run
without problem from any of the remote sites.



Regards
Harp

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1], Labreche, Christian [FW-1], Brett, Gary [FW-1] Betreff:[FW-1], Kahlert Bernd [FW-1], harptech <= [FW-1], O'Flynn, Derek Re: [FW-1], Jason Burton [FW-1], Jason Cameron Re: [FW-1], Pendergrass, Greg

Previous by Date:	[FW-1] redirecting message/partial mail to another SMTP server, Katsumi, Fred
Next by Date:	Re: [FW-1] VOIP, Brendan Laws
Previous by Thread:	[FW-1] Betreff:[FW-1], Kahlert Bernd
Next by Thread:	[FW-1], O'Flynn, Derek
Indexes:	[Date] [Thread] [Top] [All Lists]