Discussion:
Problem: Check Point VPN-1 SecureClient Connection failed
(too old to reply)
slavek
2004-10-19 13:55:26 UTC
Permalink
My network looks like this


LAN---------Firewall-1/VPN-1------------PIX---------------------internet
(Nokia IPSO 3.8) (NAT)
(all interaface have private address)

I try to connect to Firewall-1/VPN-1 using SecureClient R56 and Office mode.
When the connection is perfomed from inside LAN everything works fine.
(gateway is the interface inside LAN)
When I try to connect from internet the site and authentication creates
sucesfully. But tunnel don't work ( I'm connecting to translated outside
interface)

Firewall-1/VPN-1 on all interfaces have private address. And translation to
the public adress is made on the PIX. PIX allows all trafic in both
direction.

On the remote host which try to connect to Firewall-1/VPN-1 i ran "srfw
monitor" and I sow that SecureClient sends packet not to the translated
outside address but to one of the private adress of Firewall-1?VPN-1
(primary)

And I think that this can be a problem
Anyone has seen something like this before? and mayby someone knows how to
configure this to works fine.
J-M Cherbuin
2004-10-27 15:21:34 UTC
Permalink
Hello,

this behaviour is normal, the secureclient got from topology download
the ip addresses of the firewall as well as encryption domain. The CP
firewall has no clue that it is translated by a PIX somewhere, neigher
does the secureclient.

A workaround for that is to edit your user.C file on your secureclient
computer and modify the external (private) IP of the CP fw by the public
one of the PIX at every places it appears. The PIX should also forward
packet it receives on the CP fw. But each time you update the site your
modifications will be lost. So a much better solution: do the NAT on the
CP and only route with the PIX.

/Jean-Marc
Post by slavek
My network looks like this
LAN---------Firewall-1/VPN-1------------PIX---------------------internet
(Nokia IPSO 3.8) (NAT)
(all interaface have private address)
I try to connect to Firewall-1/VPN-1 using SecureClient R56 and Office mode.
When the connection is perfomed from inside LAN everything works fine.
(gateway is the interface inside LAN)
When I try to connect from internet the site and authentication creates
sucesfully. But tunnel don't work ( I'm connecting to translated outside
interface)
Firewall-1/VPN-1 on all interfaces have private address. And translation to
the public adress is made on the PIX. PIX allows all trafic in both
direction.
On the remote host which try to connect to Firewall-1/VPN-1 i ran "srfw
monitor" and I sow that SecureClient sends packet not to the translated
outside address but to one of the private adress of Firewall-1?VPN-1
(primary)
And I think that this can be a problem
Anyone has seen something like this before? and mayby someone knows how to
configure this to works fine.
Loading...