[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Remote Access & Office Mode
On Tue, 1 Jul 2003, Layne Meier wrote: > When trying to configure Office Mode, it says that I need to define a > Virtual IP Address for DHCP server replies. Should I not use the IP > Address of the LAN interface of the Enforcement Module? No. Read on. > I have defined a DHCP scope on our DHCP server in the same subnet as > the VPN Server resides in. You'll need to define a scope that is outside the subnet. Read on. > I have two Cisco 6513 routers within that > subnet as well. Here is a pseudo breakdown of that subnet: > > 10.1.1.0 / 255.255.255.0 > > Cisco#1 10.1.1.2 > Cisco#2 10.1.1.3 > Virtual Router (HSRP) 10.1.1.1 > > VPN Gateway 10.1.1.21 > > DHCP Server 10.1.4.15 Ok, so let's assume that you have uniformly subnetted 10 with 24-bit subnet masks. Your VPN Gateway is on the 10.1.1.0/24 network. Your DHCP server is on a separate network (10.1.4.0/24), but that's not important right now. > I've defined the scope, and bound it to these interfaces 10.1.1.1, > 10.1.1.2, 10.1.1.3 and 10.1.1.21. No idea why you've bound the scope to anything. The DHCP server could be configured to listen on specific subinterfaces on the machine it is running on, but that's not important here, unless, of course, it's not listening on an appropriate subinterface. > Shouldn't DHCP replies simply go back to the VPN Gateway? That's a routing question. Not relevant to this topic. > Why would I have to define a "Virtual IP Address". Ok, here's where we get to the real issue. Pretend you are doing dhcp relay through your firewall. That means you have a DHCP server on one side of the firewall providing addresses for a network that is on another side of the firewall (read "side" = "network interface"). When a machine on the client network sends a DHCP request, it sends a broadcast on that network. Since the firewall is running dhcp relay, it picks up the request and forwards it to a real DHCP server. How does the DHCP server know that this request is from another side of the firewall instead of from the network on which the DHCP server is located? The request has a "gateway" entry, that specifies an address on the client network. Usually that is the primary address of the firewall's interface on that client network. When the server sees such a gateway entry, it picks an available address from the scope for that network and offers it to the firewall, who in turn offers it to the client. Office Mode works by emulating this behaviour. It pretends that there is another side from which DHCP requests are initiated. Like a real dhcp relay, it needs to send a "gateway" address to the DHCP server so that the server knows which scope to pick an address from. That "gateway" address is what you put in for the "virtual IP address for DHCP server replies". (Much of the confusion comes from this caption. It's very misleading.) Just pick an IP address that is in the subnet that you want to use for Office Mode, and omit that address from the scope on the DHCP server. When the server sees that "gateway" address, it knows to offer an address from the scope that you have defined for the office mode subnet. Let's say you use 10.2.0.0/24 for your Office Mode subnet. You could set the "virtual IP address for DHCP server replies" (NG FP3 caption, might vary in NG AI) to 10.2.0.1, and define the scope to be 10.2.0.2 - 10.2.0.254. When a SecureClient client requests an office mode address, the firewall will send a request to the DHCP server (at 10.1.4.15, which you define in "Use specific DHCP server"), with the "gateway" address set to 10.2.0.1. The DHCP server will then pick an address from the 10.2.0.2 - 10.2.0.254 range and offer that to the firewall for this client. This, of course, will be the only time the address 10.2.0.1 will be used for anything. Note that your routers on the 10.1.1.0/24 and the 10.1.4.0/24 networks will need to route traffic destined for 10.2.0.0/24 to the firewall. > Does that mean I'd have to create a virtual address on the > primary interface on the VPN gateway? No. The only place the virtual address appears is in the "Virtual IP address for DHCP server replies" box. > I'm running VPN on a Sun SunFire V480, dual 900MHz CPU's, 4Gb of RAM > and dual 40Gb hard drives. It's running Sun Solaris 2.8 and CheckPoint > FireWall-1/VPN-1 NG with Application Intelligence. > > Thank you, > Layne Meier > Atlanta Newspapers ------------------------------------------------------------------ Sid Van den Heede Open Text Corporation ------------------------------------------------------------------ Join us in Orlando for LiveLinkUp 2003! Open Text Conference Orlando, Florida, USA November 3-6, 2003 Find out how we're helping sixteen million great minds work together to improve efficiencies and save money. www.opentext.com/livelinkup/2003-orlando ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|