RE: [FW1] Secure Client and NAT

[Patrick Baird <pbaird@FW1-NOSPAMpolarisconsulting.com>]

Ok, I apologize for being a little slow, but if I have a rule denying all connections to the firewall such as

 

Any    FW    Any Drop

FW    Any    Any Drop

 

And then no SecuRemote rules defining a connection, doesn't this provide the same thing?  Or do I still need to define a SecuRemote rule directly denying connections to it?

 

I've disabled control connections, etc... in the interface and defined all rules manually for IKE, firewall management, etc....

 

thanks everyone...

 

PDB

-----Original Message-----
From: Jeff Hochberg [mailto:jhochberg@earthlink.net]
Sent: Friday, March 09, 2001 11:39 PM
To: 'Anil Bhelkar'; 'Patrick Baird'; fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] Secure Client and NAT

Better than I could have explained it myself.  Thanks Anil!

 

-Jeff Hochberg

-----Original Message-----
From: Anil Bhelkar [mailto:anilbh@hclinsys.com]
Sent: Wednesday, March 07, 2001 11:00 PM
To: Patrick Baird; jhochberg@earthlink.net; fw-1-mailinglist@lists.us.checkpoint.com
Subject: Re: [FW1] Secure Client and NAT

Hi Patrick,

 

what it means is that you put a rule so that the securemote users cannot make a connection to the firewall object itself. to elaborate further the securemote client should be able to make a secure tunnel with VPN-1 and be able to access the objects behind the firewall but should not be able to access the firewall object itself.

 

Jeff may like to correct if my understanding is wrong.

 

regards

 

anil bhelkar
anilbh@hclinsys.com

----- Original Message -----

From: Patrick Baird

To: 'jhochberg@earthlink.net' ; 'fw-1-mailinglist@lists.us.checkpoint.com'

Sent: Wednesday, March 07, 2001 7:00 PM

Subject: RE: [FW1] Secure Client and NAT

Can you give an example of this?  I am having trouble understanding why this is necessary if the firewall isn't defined in any of the SecuRemote rules.

 

"Also, when constructing your Client Encrypt rule, make sure to put the firewall object(s) in the destination field and negate them so that even VPN users can't make a direct connection to the firewall through a SecuRemote session."

 

thanks!

 

PDB

-----Original Message-----
From: Jeff Hochberg [mailto:jhochberg@earthlink.net]
Sent: Tuesday, March 06, 2001 10:38 PM
To: 'Rafiyq Mondesir'; fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] Secure Client and NAT

No there is not.

 

How does this undermine the use of a stealth rule?  Disable the "Respond to Unauthenticated Topology Requests" option in Policy->Properties in order to enable SSL authenticated topology downloads to prevent just "anyone" from getting your userc.C file.

 

Also, when constructing your Client Encrypt rule, make sure to put the firewall object(s) in the destination field and negate them so that even VPN users can't make a direct connection to the firewall through a SecuRemote session.

 

-Jeff Hochberg

-----Original Message-----
From: owner-fw-1-mailinglist@lists.us.checkpoint.com [mailto:owner-fw-1-mailinglist@lists.us.checkpoint.com]On Behalf Of Rafiyq Mondesir
Sent: Tuesday, March 06, 2001 11:21 AM
To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] Secure Client and NAT

Helo.

Does anyone know if its possible to use a NAT'ed address of the firewall's external interface as the point of connect in the SecureRemote Client.  In otherwords, say the external interface of of my firewall is publicly addressable: 111.111.111.111, and I plan giving it a NAT'ed address of 222.222.222.222 to be used by my clients for topology updates and VPN connections.  Is this possible?

The reason I want to do this is because the file: userc.C, which is located on the client, contains (in clear text) several firewall and network details that undermine the use of a Stealth Rule, and thus compromises my security policy.

Any advice would be appreciated.

Regards,

R.

---

Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.