|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] SecureClient encryption domains and NAT'd user network s.
I don't think this will work as Securemote will not be used if the client's local IP address is in a subnet that exists in the encryption domain. I also ran into issues with IP Pool NAT where the firewall had to have a route to the client's internal subnet pointing to the Internet. I'd suggest identifying a subnet that will not conflict with the encryption domain and have users switch their devices to that. There are no problems with multiple clients having the same internal address as long as their public address is different. --- "Prokopinskiy, Igor" <[email protected]> wrote: > Tim, > > You don't have to force your clients to change their > network addresses. The > problem can be solved by using IP Pool NAT on the > firewall... Below is the > outline of how to set it up. If you still can't get > it to work, check your > documentation/support for more information on how to > set up IP Pool NAT. > > 1. Create an address range object; > > 2. Go to [policy properties->ip pool nat tab] and > check "enable ip pool nat > for securemote connections" checkbox; > > 3. Open [manage objects->fw object->nat tab] and > check "use ip pool nat for > securemote connections"; > > 4. Plug your address range object into the "allocate > ip pool addresses from" > container; > > 5. if your address range object belongs to the > internal network, add a proxy > arp for each address from the range, hang it off of > the internal network > interface; I only know how to do it on Solaris, read > the newsgroup archives > for Windows-specific instructions... > # arp -s IP_POOL_NAT_ADDRESS_0 > INTERNAL_INTERFACE_MAC pub > # arp -s IP_POOL_NAT_ADDRESS_1 > INTERNAL_INTERFACE_MAC pub > ... > # arp -s IP_POOL_NAT_ADDRESS_N > INTERNAL_INTERFACE_MAC pub > > 6. fwsstop; fwstart > > I hope this helps. > > Igor Prokopinskiy > > > > -----Original Message----- > > From: Tim Jones [SMTP:[email protected]] > > Sent: Thursday, November 15, 2001 12:54 PM > > To: [email protected] > > Subject: [FW-1] SecureClient encryption > domains and NAT'd user > > networks. > > > > Hello. > > > > I've run into an issue with SecureClient 4.1 that > I'm > > hoping someone can help me with. > > > > Our encryption domain is 192.168.0.0. I'm > wondering > > how we can allow a client whose home network uses > > addresses in this range to access the encryption > > domain. Whenever the client tries to ping > something > > in the encryption domain, the traffic doesn't go > > through the VPN, and I'm not 100% sure why. > > > > Are there issues with using SecureClient from a > > network in the same subnet as the encryption > domain? > > > > Thanks! > > > > __________________________________________________ > > Do You Yahoo!? > > Find the one for you at Yahoo! Personals > > http://personals.yahoo.com > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== __________________________________________________ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
