Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Incoming NAT for SecuRemote users

To: [email protected]
Subject: Re: [FW-1] Incoming NAT for SecuRemote users
From: Don <[email protected]>
Date: Fri, 4 Jan 2002 10:33:06 -0500
In-reply-to: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> is it possible to NAT the ISP-IP-address of a SecuRemote client with a
> reserved IP-address from my LAN IP-range?
There are two ways of donig this. In CheckPoint NG, you can use a feature
called Office Mode. This was available as an upgrade from the base
software installation and it requires that all of your components, GUI,
Firewall, and SR client be running NG.

I have not played with Office Mode much yet, but the way it works is that
the SR client will contact the firewall, and through a process similar to
DHCP it will be assign a firewall, DNS server, and other information. The
client then uses these values when connecting to the LAN.

The other way of doing this, and the only way that works with versions
before NG, is to use an IP_NAT_Pool.

Enable IP_NAT_Pools in the firewall policy properties window. Then, define
an IP subnet or IP range with the IP's that you want incoing clients to
use. This should be a part of the network attached to the firewall that
the clients will access. Next, click on the firewall object and under the
NAT or VPN tab (I forget which) enable IP NAT Pools and select the address
range you defined earlier. Finally, you must add a published ARP entry for
every IP address in the range with the firewalls MAC address so that
return traffic can be routed back to the client through the firewall!
Unless you have static NAT's defined somewhere else, local.arp will not
work on the Windows platform as it will not read the file. CheckPoint
released a seperate ARP utility which you might prefer to use (Also,
local.arp is not working under Windows 2000 thanks to Microsoft I
believe).

I prefer the IP NAT Pool method for hiding connections because I am still
not familiar enough with Office Mode to be comfortable with it. Please
keep in mind that when using IP NAT Pools, _ALL_ VPN connections are
NAT'd, not just SR connections. If you have Site to Site VPN's, these will
be NAT'd as well. You must make sure to take this into account when using
this feature.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Incoming NAT for SecuRemote users
  - From: Sven Eisenhauer <[email protected]>

Prev by Date: [FW-1] NG on RH6.2
Next by Date: Re: [FW-1] IBM Client Access Express Thru VPN
Previous by thread: [FW-1] Incoming NAT for SecuRemote users
Next by thread: [FW-1] Synchronization between multiple firewalls
Index(es):
- Date
- Thread