NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Remote Access & Office Mode



On Tue, 1 Jul 2003, Layne Meier wrote:

> When trying to configure Office Mode, it says that I need to define a
> Virtual IP Address for DHCP server replies.  Should I not use the IP
> Address of the LAN interface of the Enforcement Module?

No.  Read on.

> I have defined a DHCP scope on our DHCP server in the same subnet as
> the VPN Server resides in.

You'll need to define a scope that is outside the subnet.  Read on.

> I have two Cisco 6513 routers within that
> subnet as well.  Here is a pseudo breakdown of that subnet:
>
> 10.1.1.0 / 255.255.255.0
>
> Cisco#1  10.1.1.2
> Cisco#2  10.1.1.3
> Virtual Router (HSRP)  10.1.1.1
>
> VPN Gateway   10.1.1.21
>
> DHCP Server 10.1.4.15

Ok, so let's assume that you have uniformly subnetted 10 with 24-bit subnet
masks.  Your VPN Gateway is on the 10.1.1.0/24 network.  Your DHCP server is on
a separate network (10.1.4.0/24), but that's not important right now.

> I've defined the scope, and bound it to these interfaces 10.1.1.1,
> 10.1.1.2, 10.1.1.3 and 10.1.1.21.

No idea why you've bound the scope to anything.  The DHCP server could be
configured to listen on specific subinterfaces on the machine it is running on,
but that's not important here, unless, of course, it's not listening on an
appropriate subinterface.

> Shouldn't DHCP replies simply go back to the VPN Gateway?

That's a routing question.  Not relevant to this topic.

> Why would I have to define a "Virtual IP Address".

Ok, here's where we get to the real issue.

Pretend you are doing dhcp relay through your firewall.  That means you have a
DHCP server on one side of the firewall providing addresses for a network that
is on another side of the firewall (read "side" = "network interface").

When a machine on the client network sends a DHCP request, it sends a broadcast
on that network.  Since the firewall is running dhcp relay, it picks up the
request and forwards it to a real DHCP server.  How does the DHCP server know
that this request is from another side of the firewall instead of from the
network on which the DHCP server is located?  The request has a "gateway"
entry, that specifies an address on the client network.  Usually that is the
primary address of the firewall's interface on that client network.  When the
server sees such a gateway entry, it picks an available address from the scope
for that network and offers it to the firewall, who in turn offers it to the
client.

Office Mode works by emulating this behaviour.  It pretends that there is
another side from which DHCP requests are initiated.  Like a real dhcp relay,
it needs to send a "gateway" address to the DHCP server so that the server
knows which scope to pick an address from.  That "gateway" address is what you
put in for the "virtual IP address for DHCP server replies".  (Much of the
confusion comes from this caption.  It's very misleading.)  Just pick an IP
address that is in the subnet that you want to use for Office Mode, and omit
that address from the scope on the DHCP server.  When the server sees that
"gateway" address, it knows to offer an address from the scope that you have
defined for the office mode subnet.

Let's say you use 10.2.0.0/24 for your Office Mode subnet.  You could set the
"virtual IP address for DHCP server replies" (NG FP3 caption, might vary in NG
AI) to 10.2.0.1, and define the scope to be 10.2.0.2 - 10.2.0.254.  When a
SecureClient client requests an office mode address, the firewall will send a
request to the DHCP server (at 10.1.4.15, which you define in "Use specific
DHCP server"), with the "gateway"  address set to 10.2.0.1.  The DHCP server
will then pick an address from the 10.2.0.2 - 10.2.0.254 range and offer that
to the firewall for this client.

This, of course, will be the only time the address 10.2.0.1 will be used for
anything.

Note that your routers on the 10.1.1.0/24 and the 10.1.4.0/24 networks will
need to route traffic destined for 10.2.0.0/24 to the firewall.

> Does that mean I'd have to create a virtual address on the
> primary interface on the VPN gateway?

No.  The only place the virtual address appears is in the "Virtual IP address
for DHCP server replies" box.

> I'm running VPN on a Sun SunFire V480, dual 900MHz CPU's, 4Gb of RAM
> and dual 40Gb hard drives.  It's running Sun Solaris 2.8 and CheckPoint
> FireWall-1/VPN-1 NG with Application Intelligence.
>
> Thank you,
> Layne Meier
> Atlanta Newspapers

------------------------------------------------------------------
Sid Van den Heede               Open Text Corporation
------------------------------------------------------------------
Join us in Orlando for LiveLinkUp 2003!

Open Text Conference
Orlando, Florida, USA
November 3-6, 2003

Find out how we're helping sixteen million great minds
work together to improve efficiencies and save money.

www.opentext.com/livelinkup/2003-orlando

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.