Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecureClient encryption domains and NAT'd user network s.

To: [email protected]
Subject: Re: [FW-1] SecureClient encryption domains and NAT'd user network s.
From: "Prokopinskiy, Igor" <[email protected]>
Date: Fri, 16 Nov 2001 12:03:19 -0600
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Tim,

You don't have to force your clients to change their network addresses. The
problem can be solved by using IP Pool NAT on the firewall... Below is the
outline of how to set it up. If you still can't get it to work, check your
documentation/support for more information on how to set up IP Pool NAT.

1. Create an address range object;

2. Go to [policy properties->ip pool nat tab] and check "enable ip pool nat
for securemote connections" checkbox;

3. Open [manage objects->fw object->nat tab] and check "use ip pool nat for
securemote connections";

4. Plug your address range object into the "allocate ip pool addresses from"
container;

5. if your address range object belongs to the internal network, add a proxy
arp for each address from the range, hang it off of the internal network
interface; I only know how to do it on Solaris, read the newsgroup archives
for Windows-specific instructions...
# arp -s IP_POOL_NAT_ADDRESS_0 INTERNAL_INTERFACE_MAC pub
# arp -s IP_POOL_NAT_ADDRESS_1 INTERNAL_INTERFACE_MAC pub
...
# arp -s IP_POOL_NAT_ADDRESS_N INTERNAL_INTERFACE_MAC pub

6. fwsstop; fwstart

I hope this helps.

Igor Prokopinskiy


> -----Original Message-----
> From: Tim Jones [SMTP:[email protected]]
> Sent: Thursday, November 15, 2001 12:54 PM
> To:   [email protected]
> Subject:      [FW-1] SecureClient encryption domains and NAT'd user
> networks.
>
> Hello.
>
> I've run into an issue with SecureClient 4.1 that I'm
> hoping someone can help me with.
>
> Our encryption domain is 192.168.0.0.  I'm wondering
> how we can allow a client whose home network uses
> addresses in this range to access the encryption
> domain.  Whenever the client tries to ping something
> in the encryption domain, the traffic doesn't go
> through the VPN, and I'm not 100% sure why.
>
> Are there issues with using SecureClient from a
> network in the same subnet as the encryption domain?
>
> Thanks!
>
> __________________________________________________
> Do You Yahoo!?
> Find the one for you at Yahoo! Personals
> http://personals.yahoo.com
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Follow-Ups:
- Re: [FW-1] SecureClient encryption domains and NAT'd user network s.
  - From: Larry <[email protected]>

Prev by Date: Re: [FW-1] All addresses in IP Pool are in use; please help!
Next by Date: Re: [FW-1]
Previous by thread: Re: [FW-1] SecureClient encryption domains and NAT'd user network s.
Next by thread: Re: [FW-1] SecureClient encryption domains and NAT'd user network s.
Index(es):
- Date
- Thread