[FW-1] Solution [FW-1] - SecurRemote doesn't works since ISP change

[Emmanuel LUCAS <elucas@FW1-NOSPAMVILLE-ORLEANS.FR>]

Title: Solution [FW-1] - SecurRemote doesn't works since ISP change

You are right.
I have changed the DHCP range on my router from 192.X.X.X to 193.X.X.X that does't exists on my network and now it works.

Thank a lot for you informations.
-----Message d'origine-----
De : Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@beethoven.us.checkpoint.com]De la part de Lars Troen
Envoyé : lundi 28 octobre 2002 15:17
À : FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Objet : Re: [FW-1] - SecurRemote doesn't works since ISP change

The decrypted packet will have the original ip address. If this packet's address exists within your internal networks, you will have internal routing problems, and vpn will not work properly.

Lars

-----Original Message-----
From: Emmanuel LUCAS [mailto:elucas@VILLE-ORLEANS.FR]
Sent: Monday, October 28, 2002 13:49
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] - SecurRemote doesn't works since ISP change

I have a DMZ that is 192.168.1.X MASK 255.255.255.0 and I have a route on my Firewall. My client network is 192.168.2.X MASK 255.255.255.0 and I have no route to this network. But how do you axplain that it worked fine before I change my ISP ? And why when the client negociate withe the firewall the IP adresse is good and when I try to reach one internal machine I have the wrong IP address ?

De : Mailing list for discussion of Firewall-1 [<mailto:FW-1-MAILINGLIST@beethoven.us.checkpoint.com>]De la part de Lars Troen
Envoyé : lundi 28 octobre 2002 11:36
À : FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Objet : Re: [FW-1] - SecurRemote doesn't works since ISP change

How is the 192.168.x.x segment routed in your internal network?
If you try to trace to the client address from your NT server, where does it go? If it's not routed to the firewall you can solve this problem by wither implementing Securemote NAT or by using SecureClient Office Mode. Or you can put a static route from your server for this network to the firewall, but this might be less stable as you probably get more such user, and they can have other similar addresses.

Lars

-----Original Message-----
From: Emmanuel LUCAS [<mailto:elucas@VILLE-ORLEANS.FR>]
Sent: Monday, October 28, 2002 11:09
To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
Subject: [FW-1] - SecurRemote doesn't works since ISP change

Hi all,
My configuration: FW-1 NG on an NT box and SecurRemote NG on Win98
My problem:
I have a SecuRemote (SR) installed behind a SMC router. I'm authentified by the firewall but I can't use NT ressources. All worked fine since I have changed my ISP on the Firewall side. I was on the cable and now I use "France Telecom" connection behind a router.

I have made some tests:
When I connect my client directly on the ISP (no router), all works fine.
When I look on my FW logs, I can see that the negociation with the FW works fine and the source IP adress is the official Internet IP address of the SR ISP, but when I try to access to a NT server the source IP address is the IP adress that the DHCP server on the router gives to the client (192.16.X.X).

I think that the problem is there but How to correct IT ? And why this appends only with my new ISP ?

Cordially,
Emmanuel Lucas.