NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] SecureRemote / Network Addressing / Userc.C

Thanks for the information.  I do manage a local (separate network)
Checkpoint FW1 installation, but in this instance I'm connecting to a
remote partner site.  I'll forward this on to them and see if they can look
at this suggestion.

I did try stripping down my userc.c so that any conflicting networks did
not show up for the remote sites's encryption domain.  This fixed my client
side so now SecureRemote does not proxy any local traffic.  However, it
seems to be a situation exactly as you describe.  SecureRemote is sending
packets, but getting nothing back (except for the initial logon/exchange).

.. Jason

At 08:27 PM 10/8/2003 -0500, you wrote: 
You can enable IP NAT pool for SecuRemote connections.  When a client
connects to you, it nats the address as it comes inbound to an address in
the pool.  I had to set this up because I have a machine with 192.168.1.2 on
my network, and someone from home was on 192.168.1.2, the packets would
ingress, but they would route to the internal client on the egress.  I setup
an IP nat pool of 192.168.210.x for SecuRemote connections.  So far it
appears to work well.

You have to create a network object for your pool network.  Then in global
properties I believe, enable IP Pool NAT under Remote Access.  Sorry don't
have smartcenter in front of me.  Then you need to assign the pools under
the enforcement center properties on the NAT tab for IP Pool Network.
Install policy and then have someone outside of the encryption domain fire
it up and see if it translates them.

You can click on VPN in smarttracker, and see the XlateSrc NAT field with
the appropriate values.   This also will help if you have an IDS sitting
behind your firewall, because if you see an alert from this IP Pool network,
you know it's coming from the outside via VPN, or could be....

Derek

-----Original Message-----
From: Mr.Bert Wilson [mailto:[email protected]]
Sent: Wednesday, October 08, 2003 5:23 PM
To: [email protected]
Subject: Re: [FW-1] SecureRemote / Network Addressing / Userc.C

Did you try it?

>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:[email protected]]On Behalf Of Jason
>Badry
>Sent: Wednesday, October 08, 2003 5:34 PM
>To: [email protected]
>Subject: [FW-1] SecureRemote / Network Addressing / Userc.C
>
>
>I am running into a situation where a remote client site network addressing
>range is overlapping with my LAN addressing range, and so I have to leave
>my network to establish a SecureRemote connection.
>
>Desktop: Win2KSP4 / SecureRemote 4.1SP5 build 4200.
>Local Lan: 192.168.x
>
>The problem is I've run into the situation where I have clients at various
>sites which are all using different private addressing (10.x.x.x,
>172.x.x.x, 192.168.x.x). I have the least amount of overlap in the
>192.168.x space, and that is why we setup our LAN there.
>
>I have been looking at the userc.c file that SecureRemote contains, and my
>question is:
>1. Would this example work (I haven't managed to get it working so far):
>- say my LAN is at 192.168.100.x
>- at the remote Client, the server(s) I am maintaining are in 192.168.200.x
>- can I remove all references to 192.168.100.x from the userc.c file?  I do
>not need to connect to any servers in this space at the remote site.
>
>Any suggestions would be appreciated.  Public addressing would be a good
>solution, but I don't know how feasible/possible it would be to
>implement that.
>
>Thanks,
>
>.. Jason Badry
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================


  
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.