Sorry for the long post...
Is it possible to restrict the source IP address for an Office Mode Secure
Client VPN connection? I'm able to do this for Transparent Mode Secure
Client connections, but have not been able to restrict this for Office Mode.
I would like to do this so that I can make sure that my users can only
establish a VPN session from behind the low-end Cisco router that we've
pre-configured and have given them to take home. I?ve allocated a specific
internal network range for each user - all of the internal network ranges
are in the 10.200.x.y range (User #1 has 10.200.1.0 /24, User #2 has
10.200.2.0 /24, etc.).
I am able to restrict Transparent Mode Secure Client connections using the
following Security rule on the VPN Module (the cleanup rule drops VPN
connections from all other source IP addresses)...
Source = VPN_Users@Net_10.200.0.0 (where Net_10.200.0.0 = 10.200.0.0 /16)
Destination = My_Encryption_Domain
Service = Any
Action = Client Encrypt (?Apply Rule Only If?? is checked)
Track = Log
When I'm testing the Office Mode Secure Client connection, I have to change
the Security rule base Client Encrypt rule. This must be changed because
the VPN module sees **all Office Mode Secure Client VPN traffic** with a
source IP address from the Office Mode address pool.
Source = VPN_Users@Office_Mode_Pool
Destination = My_Encryption_Domain
Service = Any
Action = Client Encrypt (?Apply Rule Only If?? is checked)
Track = Log
Because the VPN module sees the incoming VPN traffic with a source IP
address from the Office Mode pool, the Security rule base has no way (that I
know of) to enforce that my VPN users are coming from the 10.200.x.y range &
not a different IP range (i.e. 12.1.2.3).
My next thought was to use Inbound & Outbound Desktop Security rules on my
Secure Client machines (and require these policies to be enforced). I tried
the following Desktop Security rules, but I could still establish a VPN
session & access resources in my encryption domain from an IP address other
than 10.200.x.y. Does anyone know if there are implied rules in the
Desktop Security rule base?
**OUTBOUND RULES**
#1 (OUTBOUND) - (This should allow outbound traffic to the VPN Modules if my
laptop's IP is 10.200.x.y)
Desktop = All Users@Net_10.200.0.0
Destination = VPN_Module
Service = IKE, FW1_pslogon_NG, RDP
Action = Accept
Track = Log
#2 (OUTBOUND) - (This *should* prevent the VPN tunnel from getting
established if my laptop's IP is not 10.200.x.y)
Desktop = All Users@Any
Destination = VPN_Module
Service = IKE, FW1_pslogon_NG, RDP
Action = Block
Track = Log
#3 (OUTBOUND) - (This allow all outbound traffic other than VPN traffic)
Desktop = All Users@Any
Destination = Any
Service = IKE, FW1_pslogon_NG, RDP (NEGATE)
Action = ACCEPT
Track = Log
I even tried blocking ALL outbound traffic from my Secure Client laptop
using the following rule. This rule blocked all Web browsing, etc. to the
Internet, but my Office Mode VPN connection got established and I could
access everything in the encryption domain. ...this is why I think an
implied rule must be in place.
**OUTBOUND RULES**
#1 (OUTBOUND) - (This should block all outbound connections from my laptop -
laptop's IP address is 12.1.2.3)
Desktop = All Users@laptop_12.1.2.3
Destination = Any
Service = Any
Action = Drop
Track = Log
Any help would be greatly appreciated. Sorry again for the long post.
David
Email Address:
david(underscore)IT(underscore)Sec(AT)hotmail(DOT)com
_________________________________________________________________
Watch high-quality video with fast playback at MSN Video. Free!
http://click.atdmt.com/AVE/go/onm00200365ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
