Correct. If you read the VPN-1 .pdf for r-55 you can see the
restrictions imposed for doing VPN routing.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Lyle
Dove
Sent: Friday, September 24, 2004 1:00 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Hub Mode
All,
Well, I just realized that the VPN license attached to my FW is for
secure
remote, and not secure client. Even though you can go through the
motions,
I assume that I can't do what I am attempting with secure remote. Or am
I
wrong. I've stopped attempting to make this work until I can get
clarification. Anyone?
Thanks,
-Lyle
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Lyle
Dove
Sent: Thursday, September 23, 2004 1:25 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Hub Mode
Well, I have both ends defined for hub mode, no additional routes except
the
default routes for the interfaces themselves.
Destination Netmask Gateway Metric
Interface
x.x.x.0 255.255.255.192 0.0.0.0 0 eth0
10.157.63.0 255.255.255.128 0.0.0.0 0 eth1
10.157.63.128 255.255.255.128 0.0.0.0 0 eth2
default 0.0.0.0 x.x.x.1 0 eth0
There's my routing table.
Now, with everything default like the above, and hub mode configured on
both, it times out @ the firewall when I attempt to trace or ping
anything.
It's almost like it doesn't know where to send the packets, yet I
figured
that's what the hub mode does. In hub mode, should I define a
encryption
domain since its going to route all traffic through the FW anyways?
Anything else I can try.
-Lyle
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
Sent: Thursday, September 23, 2004 10:18 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Hub Mode
It depends on what your gateway default route is.
In hub mode, all clear traffic to the Internet from SecureClient is
routed
from the Internet to the gateway and back out the gateway external
interface, just like you want. And it works because I use SecureClient
and I
can ping and traceroute to Internet sites when connected in by
SecureClient.
Since you don't have any desktop rules blocking anything, this leaves
routing as the prime suspect.
Are you using Office Mode? If not, what would the IP range be for the
source
of the hub mode packets leavingthe firewall & how are they routed back?
Ray
>From: Lyle Dove <ldove AT BIZLA.RR DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] Hub Mode
>Date: Wed, 22 Sep 2004 21:56:39 -0700
>
>Hi Ray,
>
>1st off, thanks for the response!
>
>Maybe I should make my question a bit more simplistic for clarity sake.
>In reality, after thinking about this a bit more, what I want to do is
>route all traffic from VPN clients when they are connected to the
>firewall, through the firewall then out to the internet. The caveat to
>this is that the VPN clients connect to the External interface, and
>everything needs to get routed back out the same interface. I think
>this is common for what I am intending to do, but I can't quite figure
>out
what the problem is.
>
>Now, regarding the trace, the 1st hop when I trace to a IP, of the ones
>defined as the encryption domain, is the firewall itself, and then the
>trace dies.
>
>SecureClient and the FW are both configured to route traffic through
>the FW.
>
>Desktop policies are wide open at this point until I can determine its
>working. Everything is allowed both directions.
>
>Regarding the route, hmm.. I don't think so. This may be my problem.
>But
>referencing back to my original statement above, what if I want to just
>route ALL traffic through the gateway from VPN clients. This would
>give me the results I want. Or if its simple, I'd like to just route
>the items in the encryption domain, like what I am attempting now.
>
>I wasn't aware that I needed add a route, but I guess that's just my
>ignorance. I'll try to add the route, and see what happens. Any
>suggestions other than that?
>
>Thanks again!!
>
>-Lyle
>
>
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
>Sent: Wednesday, September 22, 2004 1:31 PM
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] Hub Mode
>
>Hi Lyle,
>
>What does a traceroute to the 10 networks from a dial-up client show?
>
>You are using SecureClient and you do have Hub Mode enabled on the
>client and on the firewall (allow SecureClient to route through this
>gateway), don't you?
>
>Do you have desktop policy rules in place to allow the traffic?
>
>Does the firewall have a route so it knows what to do with the 10.
>network traffic?
>
>Ray
>
> >From: Lyle Dove <ldove AT BIZLA.RR DOT COM>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> >Subject: [FW-1] Hub Mode
> >Date: Wed, 22 Sep 2004 11:40:50 -0700
> >
> >Hello all,
> >
> >I'm having some trouble getting this to work correctly. Hopefully,
> >I'll explain my situation correct.
> >
> >My setup consists of a FW that resides inside a particular AS cloud.
> >A cable modem network to be specific. In this AS cloud, we have
> >10.x.x.x space that is routable only within this cloud, and
> >obviously, not out past our edge routers. We also have public IP
> >space which is routed
>normally.
> >My
> >FW resides within this AS cloud, and as such, I can access both the
> >10.x.x.x IP space, and the public space as expected. Now, if I am
> >outside this AS cloud, lets say on dialup, but I want to access those
> >10-nets, I would need to VPN to my FW, and have it route any traffic
> >destined for 10.x.x.x through that VPN tunnel. It appears that when
> >I connect, the FW is pulling the traffic through the tunnel, but it
> >terminates at the FW, and doesn't go anywhere from there. To me, it
> >appears that the VPN tunnel portion is working correctly, but I need
> >it to route it back out the External interface so through the VPN
> >tunnel, I can access the 10.x.x.x IP's. The VPN tunnel connects at
> >the FW's external interface as well.
> >
> >I currently have the FW setup with the Allow Hub Mode checked, and
> >have defined the IP's that should be in the VPN domain already and
> >manually defined under the topology on the FW Module.
> >
> >Here's a basic diagram.
> >
> > (cloud) AS12345
> > |-----------------------|
> > | |
> > | 10-net/public IP's |
> > | | |
> >Dialup----*VPN*------|---------FW |
> > | |
> > |-----------------------|
> >
> >
> >Hope this makes sense. Please advise if you need further
information.
> >
> >Thanks!!
> >
> >--------
> >Beep! Beep!
> >
> >Lyle Dove
> >BPS Senior Technician
> >Time Warner Cable - Los Angeles Division
> >
> >"The information transmitted is intended only for the person or
> >entity to which it is addressed and may contain confidential,
> >proprietary, and/or privileged material. Any review, retransmission,
> >dissemination or other use of, or taking of any action in reliance
> >upon, this information by persons or entities other than the intended
> >recipient is prohibited. If you received this in error, please
> >contact the sender and delete the material from all computers."
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages, send an email to
> >LISTSERV AT amadeus.us.checkpoint DOT com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list, please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your subscription options,
> >email fw-1-owner AT ts.checkpoint DOT com
> >=================================================
>
>_________________________________________________________________
>Don't just search. Find. Check out the new MSN Search!
>http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages, send an email to
>LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your subscription options,
>email fw-1-owner AT ts.checkpoint DOT com
>=================================================
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's
FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
