Hi Fabian,
The gateway will only see the Office Mode address and route it appropriately if a user is connected and assigned that address. For example, I'm the only user connected by Office Mode and I am assigned an Office Mode address of 192.168.100.4. A traceroute from your internal network to my 192.168.100.4 address will succeed, but a traceroute to any other 192.168.100.xxx address will go through the firewall to your ISP. That's just the way it works.
Are you trying the SecureClient connection from the internal network or the Internet? If you're trying it from the internal network, the Office Mode IP address will get dropped as a spoof. Check Point claims this is a feature and not a bug. :-)
Ray
From: Fabian Tuender <[EMAIL PROTECTED]> Reply-To: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [FW-1] Office mode Date: Tue, 3 Aug 2004 18:46:07 +0200
First of all thanx for your answer. I still have a question remaining. The internal subnet will forward its office mode ip address range to the firewall but strange enough when I do a tracert the route goes trough our internal router, to our firewall and then also to our internet router who blocks the trafic. The firewall doesn't seem to pickup the trafic. Why could it be that the firewall doesn't seem to reconsize it as being its own address space ?
On the client side when I connect using a secureclient I see the following message: Checking network connectivity... Preparing connection... Connecting to gateway... User xxxxxx authenticated by FireWall-1 authentication Gateway not responding Connection failed
Once the authentication is established it cannot complete the tunnel setup and in the logs I don't see anything anymore.
With kind regards, Fabian
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Monday, August 02, 2004 8:43 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Office mode
Office Mode IP Pools CANNOT be part of the subnet of your internal networks, however with the later versions of AI, they can be part of the encryption domain.
Your internal routers must know to send all Office Mode IPs tothe firewall. Assume you have assigned 192.168.100.0 255.255.255.0 to the Office Mode IP Pool and this is outside of your internal subnet.
From your work computer, without using SecureClient, a
tracert 192.168.100.5
should end up back at the firewall internal interface. If not, you'll have to adjust your internal routers appropriately. Note that Office Mode is a SecureClient feature and does not work with SecuRemote.
If you change the Office Mode IP Pool range, I believe you have to reboot thegateway as well.
Ray
>From: Fabian Tuender <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [FW-1] Office mode >Date: Mon, 2 Aug 2004 19:34:51 +0200 > >Goodevening, > >I hope someone can clear a problem for me. We need to use office mode >to assign ip address to clients. Without office mode everything works >fine, I can get a connection with a secureremote client to our firewall >and ping any address behind it and all trafic passes trough without >problems. When I enable office mode I get authorised by the firewall >but afterwards there is no traffic possible trough the tunnel. >When I setup office mode to use a ip pool outside the subnet of our >internal side of the firewall the connection fails. In the log I only >see that I am authenticated successfull and I get a ip address assigned >but then it ends. >When I setup office mode to use a ip pool inside the subnet of our >internal side of the firewall I get a connection but there is no >traffic possible trough that tunnel. I have a new network adapter with >a ip address from the pool but nothing happens. On the firewall I see >no traffic but only sometimes a broadcast from that client on the >subnet. On the clients log viewer I get the message: encryption fail >reason::Packet if from physical ip address but office mode is active. > >I have read the office mode documents on and on but cannot find why its >not working. Anyone with an idea is welcome, thanx in advance. > >With kind regards, > Fabian > >================================================= >To set vacation, Out-Of-Office, or away messages, send an email to >[EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your subscription options, >email [EMAIL PROTECTED] >=================================================
_________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
_________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
