Re: [FW-1] SecureClient with Hub Mode can't route to the Internet

[Ray [Permanent Link]]

Dang, Martin. Good catch. That's precisely what it was. I had dropped 
numerous routes out of my border router to reduce some of the scanning and 
the Office Mode pool was one of them, and it was the only network object I 
had that wasn't configured for Hide NAT.
Thank you very much!

Ray


> From: Martin Hoz <martinhoz AT GMAIL DOT COM>
> Reply-To: Mailing list for discussion of Firewall-1              
> <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] SecureClient with Hub Mode can't route to the Internet
> Date: Sat, 20 Aug 2005 23:26:48 -0500
>
> On 8/20/05, Ray <sixsigma44 AT hotmail DOT com> wrote:
> > I'm using SecureClient R55 HFA04 & NGX in Hub Mode on an R55 gateway. It
> > works great. Now I need to add a rule so that clients that are VPNed in 
> can
> > access an FTP site on the Internet, something we have never needed 
> before.
> > Formerly all resources were in the encryption domain only.
> >
> > The remote access community rule is OK and the desktop security policy 
> rule
> > is OK. SmartView Tracker shows the traffic is being accepted, but the
> > connections never work, they just time out. It doesn't matter if I'm 
> using
> > FTP, SSH or even ICMP.
> >
> > Runnin  ipconfig /all on the client shows something odd, though. I'm 
> using
> > IP Pools and Office Mode and have xxx.xxx.133.0/24 (a routable address) 
> as
> > the Office Mode pool. I routinely see xxx.xxx.133.1 assigned to a remote
> > access client as its Office Mode address, but ipconfig /all is showing
> > xxx.xxx.133.1 as my default gateway.
> >
> > Does anyone know if this is something broken in Office Mode & Hub Mode 
> or
> > whether its just a display oddity?
> >
>
> Probably you need some sort of NAT to the Office Mode/IP Pool IP
> addresses so when the SecureClient connections go to the Internet go
> back to the firewall/VPN gateway, so they can as well be routed
> properly back trough the VPN to the SecureClient machine...
>
> HTH. Best regards.
>
> - Martín.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================