A belated follow-up....
I'm wrestling with a similar problem which I believe is due to my
firewall object having the internal address. My license is keyed to the
external correctly, however.
If I simply change the address in the object, do I expect the whole
firewall to come crashing down? Rules to fail? Clients to disconnect?
Ancient evils to rise from their watery slumber? Or should everything
simply be ducky?
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
> Sent: Tuesday, October 11, 2005 7:12 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Office Mode & SecureClient
>
> Does your firewall object have the external IP or the
> internal IP? It has to be the external IP.
>
> If it works with hub mode, that tells me it's a routing
> issue. SecureClient doesn't know how to find the policy
> server until it's already inside the firewall.
>
> Ray
>
> >From: cp user <checkpoint_user AT YAHOO DOT FR>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> >Subject: Re: [FW-1] Office Mode & SecureClient
> >Date: Tue, 11 Oct 2005 11:45:06 +0200
> >
> >May any one please give me the steps to configure Office
> Mode-IP POOL
> >on SecureClient R55?
> >
> >I tried to follow steps described on VPN-1 guide but I still have
> >problems (my SecureClient cannot communicate with policy server)!
> >
> >My architecture consists on the following:
> >- some hosts on the LAN.
> >- a SmartCenter server that lies on the LAN
> >- a VPN-1 Pro gateway that has two interfaces: an external one and a
> >local one (connected to the LAN)
> >- a remote access client (the SecureClient) whose default gateway is
> >set to the VPN-1 Pro gateway. I actually have no router.
> >
> >As David suggested, my VPN domain is actually a Group with
> exclusions.
> >It is the LAN except Office Mode IP POOL subnetwork addresses'.
> >
> >I noticed that tunnel test succeeds when I activate both Office Mode
> >and Hub mode. But the tunnel test fails when I only activate Office
> >mode. Communication with policy server always fails.
> >
> >Kind regards
> >
> >--- "David S. Barker" <dbarker AT COMPUQUIP DOT COM> a ecrit
> >:
> >
> > > I've been reading this thread and now I'm confused.
> > >
> > > Not on how this is supposed to work but how the
> terminology is being
> > > used, seems like POOL is being used to describe the encryption
> > > domain.
> > >
> > > When someone says POOL in reference to Check Point I'm
> thinking one
> > > of two things, IP POOL NAT or OFFICE MODE IP POOL. In
> the case of
> > > IP POOL NAT these can be used for Gateway to Gateway or
> for Remote
> > > Access. These are allowed as a global property (NAT) and then
> > > assigned on gateways, encrypted connections are
> translated to these
> > > ip addresses to help eliminate asyncronous routing.
> > >
> > > The only other mention of POOL has to do with Office mode IP POOL.
> > >
> > > Now, with Office Mode it is important that these networks are NOT
> > > part of your Remote access encryption domain. These
> addresses are
> > > assigned to your clients on the client side, so think of
> them as the
> > > Remote encryption domain. Also, If you want to use a
> subset of your
> > > existing internal address space for your Office Mode
> addresses then
> > > you need to also make sure that the topology for all of
> the internal
> > > interfaces NOT include these networks. You can do this by using
> > > Groups with Exclusions. The exclusions will be the Office Mode
> > > networks.
> > > Finally, you'll have to make sure that if you use any generalized
> > > routes like 10/8 points to a router inside, and your
> office mode is
> > > 10.10.10.0/24, you'll have to specifically add a route on your
> > > gateways to not point 10.10.10.0/24 to the inside router. It
> > > doesn't really matter where you point the route as long as it's
> > > being reflected externally, in general I point this to
> the default
> > > gateway.
> > >
> > > As a general practice I use different Office Mode
> networks from my
> > > local networks/encryption domain networks so that I don't
> have to do
> > > this. With larger networks I had to use the Group with
> exclusions
> > > frequently.
> > >
> > > Also note if you're using both Office Mode and IP POOL NAT, by
> > > default the Office Mode addresses will be NATted to the
> IP POOL NAT
> > > addresses too. You can prevent this by creating a No NAT
> rule for
> > > the Office Mode Network, or by setting the
> > > om_prevent_ippool_nat_for_users property to true in the
> > > objects_5_0.C on the management server.
> > >
> > >
> > >
> > > Compuquip TECHNOLOGIES
> > > "Providing Solutions Since 1980"
> > >
> > > David Barker
> > > Senior Security Engineer
> > > Internet Security Division
> > >
> > > Phone: 305.436.7272 X 1364
> > > Fax: 305.436.9149
> > > email:dbarker AT compuquip DOT com
> > >
> > >
> > > -----Original Message-----
> > > From: Mailing list for discussion of Firewall-1
> > > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]
> > > On Behalf Of cp user
> > > Sent: Saturday, October 08, 2005 5:46 PM
> > > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > Subject: Re: [FW-1] Office Mode & SecureClient
> > >
> > > Hi Bill,
> > >
> > > This means that the "POOL" network object (internal
> addresses that
> > > will be affected to remote clients) is located in a group that is
> > > defined as VPN domain.
> > >
> > > --- Bill Smith <vinet138 AT YAHOO DOT COM> a ecrit :
> > >
> > > > Hi there,
> > > >
> > > > what do you mean by network pool BEHIND YOUR VPN
> > > DOMAIN.
> > > > Could you please expan a bit?
> > > >
> > > > Thx,
> > > >
> > > > Bill
> > > >
> > > > cp user <checkpoint_user AT YAHOO DOT FR> wrote:
> > > > > Be sure to put your SecureClient NETWORK POOL
> > > > behind
> > > > > your VPN Domain.
> > > > > As Mike says it's probably "address spoofing".
> > > >
> > > > I set the SecureClient network pool behind my VPN
> > > domain but the
> > > > problem is still here!! what may I do please?
> > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: Sahli, Mike [mailto:mike.sahli AT SMECO DOT COOP]
> > > > > Sent: Jueves, 06 de Octubre de 2005 07:42 a.m.
> > > > > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > > > Subject: Re: [FW-1] Office Mode & SecureClient
> > > > >
> > > > > Your problem is probably "address spoofing"
> > > check your logs for all
> > > > > traffic coming in from a known client that is
> > > failing.
> > > > >
> > > > > Michael D Sahli
> > > > > Sr. Network Engineer
> > > > > Lockheed Martin IT @ SMECO
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: cp user [mailto:checkpoint_user AT YAHOO DOT FR]
> > > > > Sent: Thursday, October 06, 2005 7:54 AM
> > > > > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > > > Subject: [FW-1] Office Mode & SecureClient
> > > > >
> > > > > Hi list,
> > > > >
> > > > > I configured Office Mode with IP Pool on the
> > > > gateway
> > > > > side.
> > > > > Once I check "Support Office Mode" on my
> > > SecureClient, it can no
> > > > > longer logon to policy server and download
> > > policy. The "Connect"
> > > > returnes:
> > > > > Connecting to gateway...
> > > > > Negociation succeeded, tunnel test failed
> > > Connected to gateway: MyGW
> > > > > Login on to policy server MyServer...
> > > > > Logon to policy server failed.
> > > > > Connection succeeded.
> > > > >
> > > > > I try again to logon to policy server. But this
> > > failes with the
> > > > > following message: "SecureClient failed to
> > > communicate with policy
> > > > > server MyServer
> > > > at
> > > > > site MySite".
> > > > >
> > > > > Logs return:
> > > > > Connecting to site MySite using profile MySite
> > > Interface change:
> > > > > VPN-1 SecureClient Adapter - Miniport
> > > d'ordonnancement de paquets
> > > > > interface added, current ip: 192.168.34.65
> > > Default Desktop Security
> > > > > Policy Loaded SecureClient failed to communicate
> > > with Policy Server
> > > > > MyServer at site MySite Successfully connected
> > > to site
> > > > >
> > > > > Any idea is wolcome!
> > > > >
> > > > > Many thanks
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >_____________________________________________________________
> __________
> >____
> > > > > Appel audio GRATUIT partout dans le monde avec
> > > le nouveau Yahoo!
> > > > > Messenger Telechargez cette version sur
> > > > > http://fr.messenger.yahoo.com
> > > > >
> > > > >
> > > =================================================
> > > > > To set vacation, Out-Of-Office, or away
> > > messages, send an email to
> > > > LISTSERV AT amadeus.us.checkpoint DOT com
> > > > > in the BODY of the email add:
> > > > > set fw-1-mailinglist nomail
> > > > >
> > > =================================================
> > > > > To unsubscribe from this mailing list, please
> > > see the instructions
> > > > > at
> > > http://www.checkpoint.com/services/mailing.html
> > > > >
> > > =================================================
> > > > > If you have any questions on how to change your
> > > subscription
> > > > > options, email fw-1-owner AT ts.checkpoint DOT com
> > > > >
> > > =================================================
> > > > >
> > >
> >=== message truncated ===
> >
> >
> >
> >
> >
> >
> >
> >_____________________________________________________________
> __________
> >____ Appel audio GRATUIT partout dans le monde avec le
> nouveau Yahoo!
> >Messenger Telechargez cette version sur http://fr.messenger.yahoo.com
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages, send an email to
> >LISTSERV AT amadeus.us.checkpoint DOT com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your subscription
> options,
> >email fw-1-owner AT ts.checkpoint DOT com
> >=================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an
> email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription
> options, email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
