It depends on what your gateway default route is.
In hub mode, all clear traffic to the Internet from SecureClient is routed
from the Internet to the gateway and back out the gateway external
interface, just like you want. And it works because I use SecureClient and I
can ping and traceroute to Internet sites when connected in by SecureClient.
Since you don't have any desktop rules blocking anything, this leaves
routing as the prime suspect.
Are you using Office Mode? If not, what would the IP range be for the source
of the hub mode packets leavingthe firewall & how are they routed back?
Ray
From: Lyle Dove <ldove AT BIZLA.RR DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Hub Mode
Date: Wed, 22 Sep 2004 21:56:39 -0700
Hi Ray,
1st off, thanks for the response!
Maybe I should make my question a bit more simplistic for clarity sake. In
reality, after thinking about this a bit more, what I want to do is route
all traffic from VPN clients when they are connected to the firewall,
through the firewall then out to the internet. The caveat to this is that
the VPN clients connect to the External interface, and everything needs to
get routed back out the same interface. I think this is common for what I
am intending to do, but I can't quite figure out what the problem is.
Now, regarding the trace, the 1st hop when I trace to a IP, of the ones
defined as the encryption domain, is the firewall itself, and then the
trace
dies.
SecureClient and the FW are both configured to route traffic through the
FW.
Desktop policies are wide open at this point until I can determine its
working. Everything is allowed both directions.
Regarding the route, hmm.. I don't think so. This may be my problem.
But
referencing back to my original statement above, what if I want to just
route ALL traffic through the gateway from VPN clients. This would give me
the results I want. Or if its simple, I'd like to just route the items in
the encryption domain, like what I am attempting now.
I wasn't aware that I needed add a route, but I guess that's just my
ignorance. I'll try to add the route, and see what happens. Any
suggestions other than that?
Thanks again!!
-Lyle
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
Sent: Wednesday, September 22, 2004 1:31 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Hub Mode
Hi Lyle,
What does a traceroute to the 10 networks from a dial-up client show?
You are using SecureClient and you do have Hub Mode enabled on the client
and on the firewall (allow SecureClient to route through this gateway),
don't you?
Do you have desktop policy rules in place to allow the traffic?
Does the firewall have a route so it knows what to do with the 10. network
traffic?
Ray
>From: Lyle Dove <ldove AT BIZLA.RR DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: [FW-1] Hub Mode
>Date: Wed, 22 Sep 2004 11:40:50 -0700
>
>Hello all,
>
>I'm having some trouble getting this to work correctly. Hopefully,
>I'll explain my situation correct.
>
>My setup consists of a FW that resides inside a particular AS cloud. A
>cable modem network to be specific. In this AS cloud, we have 10.x.x.x
>space that is routable only within this cloud, and obviously, not out
>past our edge routers. We also have public IP space which is routed
normally.
>My
>FW resides within this AS cloud, and as such, I can access both the
>10.x.x.x IP space, and the public space as expected. Now, if I am
>outside this AS cloud, lets say on dialup, but I want to access those
>10-nets, I would need to VPN to my FW, and have it route any traffic
>destined for 10.x.x.x through that VPN tunnel. It appears that when I
>connect, the FW is pulling the traffic through the tunnel, but it
>terminates at the FW, and doesn't go anywhere from there. To me, it
>appears that the VPN tunnel portion is working correctly, but I need it
>to route it back out the External interface so through the VPN tunnel,
>I can access the 10.x.x.x IP's. The VPN tunnel connects at the FW's
>external interface as well.
>
>I currently have the FW setup with the Allow Hub Mode checked, and have
>defined the IP's that should be in the VPN domain already and manually
>defined under the topology on the FW Module.
>
>Here's a basic diagram.
>
> (cloud) AS12345
> |-----------------------|
> | |
> | 10-net/public IP's |
> | | |
>Dialup----*VPN*------|---------FW |
> | |
> |-----------------------|
>
>
>Hope this makes sense. Please advise if you need further information.
>
>Thanks!!
>
>--------
>Beep! Beep!
>
>Lyle Dove
>BPS Senior Technician
>Time Warner Cable - Los Angeles Division
>
>"The information transmitted is intended only for the person or entity
>to which it is addressed and may contain confidential, proprietary,
>and/or privileged material. Any review, retransmission, dissemination
>or other use of, or taking of any action in reliance upon, this
>information by persons or entities other than the intended recipient is
>prohibited. If you received this in error, please contact the sender
>and delete the material from all computers."
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
