Re: [FW-1] SecureClient and Internal Network Access

Ray Thu, 02 Sep 2004 05:36:07 -0700

Hi Bob,

Is there some reason you can't go to a current version of the firewall and
SecureClient? You are putting a lot of risk into the picture if you plan on
using such an old version in the real world. To see if the FP2 version is an
issue, you can download an evaluation version of R55 which comes with a
fully functional license for 15 days. Since this is a test setup, that's
what I'd do.

I'm getting confused by how you have your subnets arranged. I'm assuming
you're using the same masks as you use in real life. Can you change the
external network tio a 192.168 range to keep it totally different from the
internal network?

Ray

From: Bob <[EMAIL PROTECTED]>
To: Mailing list for discussion of Firewall-1
<[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [FW-1] SecureClient and Internal Network Access
Date: Wed, 1 Sep 2004 16:33:37 -0700 (PDT)

Hi Ray,

         Let me thank you for . Actually let me draw the network again so
that it is clear. I saw that formatting messed it up a little. I have
attached a text file for better clarity. Right now the entire test
bed is in the lab. So we are using 10.x.x.x addresses for both internal and
external network on checkpoint gateway.

1. Client and checkpoint gateway's external sit on the same subnet
(10.10.16.0/255.255.240.0)

2. Server and checkpoint gateway's internal interface sit on the same
subnet
(10.10.48.0/255.255.240.0)

So there is no need for router here right because client can reach
checkpoint gateway's external interface directly and Server can reach
checkpoint gateway's internal interface directly. But i added the following
static route on the server to 10.9.62.x network.

10.9.62.0 255.255.255.0 10.10.58.190

So the server knows how to get to 10.9.62.0 network.

Now coming to version of secure client i am using checkpoint NG FP2 build
52032.

sqa is the group created for remote access

Inbound Rules
--------------------
Source             Desktop                             Service
 Action
internal n/w          [EMAIL PROTECTED]                        *Any
 Encrypt
*Any                 [EMAIL PROTECTED]                   *Any
Accept


Outbound Rules
-----------------------
Desktop              Destination                      Service
Action
[EMAIL PROTECTED]             internal n/w                       *Any
Encrypt
[EMAIL PROTECTED]      *Any                               *Any
Accept

External N/w on checkpoint:-  10.10.16.0
Internal N/w  on checkpoing:-    10.10.48.0

I am using Traditional Mode policy.

-thanks
Bob

Ray <[EMAIL PROTECTED]> wrote:
Your NAT is probably OK. Do you have a static route on the gateway so it
knows how to route the 10.9.xxx.xxx traffic to the next hop internal
router?
Do your internal routers know to send all 10.9.xxx.xxx traffic back to the
gateway?

Which version of SecureClient? Are you using SCV? What do your desktop
security rules look like?

Normally you cannot ping the gateway unless you add a rule to allow it. Is
this a simplified or traditional policy? Do you have a specific rule in the
rule base to allow the SecureClient traffic access into and out of the
internal network?

Ray

>From: Bob
>Reply-To: Mailing list for discussion of Firewall-1
>
>To: [EMAIL PROTECTED]
>Subject: [FW-1] SecureClient and Internal Network Access
>Date: Tue, 31 Aug 2004 11:03:03 -0700
>
>Hi All,
> We are using checkpoint NG FP2. We configured checkpoint gateway
>so that the SecureClient can have remote access to the internal networks.
>The servers in the internal networks can reach (pings work) the secure
>clients but the secure clients cannot reach the internal network or any
>servers (pings or http access to any servers did not work). In the
network
>properties for internal network i checked "Add Automatic Address
>Translation rule" and picked "Hide" as the translation method (Hide
behind
>the interface of the install on Gateway). First of all do i need to
>configure NAT inorder for my network to work correctly. If so is my NAT
>rules incorrect. Please advice.
>
>Our network looks like this
>Client CheckpointGateway
> Server
>10.10.20.60/20 External Internal
>10.10.58.200/20
> 10.10.16.40 10.10.58.190
>The Ip pool that i assigned is network 10.9.62.0/24. The secureclient got
>an ip address 10.9.62.1 when it connected to the gateway. The server can
>ping the client but the client cannot ping the gateway. Also in the log i
>do not see any packets being dropped.
>
>Any help is greatly appreciated, my boss is sitting on top of me so i had
>look for help quickly.
>-thanks,
>sam
>
>
>
>---------------------------------
>Do you Yahoo!?
>New and Improved Yahoo! Mail - Send 10MB messages!
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


---------------------------------
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.

client-----------
                |___________
(10.10.20.60    |Router    |
10.10.16.0      |          |
255.255.240.0)  |10.10.20.1|
                |          |
                |          |
                |          |
(External       |          |
 interface------------------
10.10.16.40
10.10.16.0
255.255.240.0)
CHECKPOINT GW
(Internal
 interface
10.10.58.190
10.10.48.0
255.255.240.0)
    |
    |      ---------
    |______| Server |
           |________|

             10.10.58.200
             10.10.48.0
             255.255.240.0


_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Re: [FW-1] SecureClient and Internal Network Access

Reply via email to