Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Checkpoint Firewall-1/VPN-Pro

Status
Not open for further replies.

tlwatkins

IS-IT--Management
Jun 16, 2003
1
US
Forgive me in advance for not knowing Checkpoint but I inherited this firewall and have no support now.

I have Checkpoint Firewall-1 w/VPN-Pro. We use this firewall as one of our gateways to the internet, which works great. I also use it to remotely connect to our internal network (10.15.0.0) from remote locations with Secure Remote.

Someone else (who no longer works here) built and configured this firewall to allow users to remotely connect with Secure Remote to our internal network. The problem that I have now is our corporate offices want users to be able to connect to thier network through our Secure Remote VPN. Their network is (10.100.0.0). What do I need to change on my Checkpoint firewall to allow Secure Remote clients to conntect to 10.100.0.0? I can prig addresses on my network(10.15.0.0) but not on the corporate network(10.100.0.0).

Any help is greatly appreciated. I would call Checkpoint Tech support but our maintenance agreement expired 2 years ago and they want thousands of dollars.

Thanks again...........
 
Hi,

there is an option to add location which the S-R user will be able to access. It's under the S-R user configuration.
But if I understand correctly you are also unable to ping the corp IP range. Is the routing in place? Is this corp range behind another firewall? Could you access it from your LAN?

Jaro
 
Hi,

Need some advice on what am i doing wrong, but let me give you my existing config.

2 Nokia IP-560 clustered (4 Interfaces)

Interface 1 - Valid Subnet IP (external)
Interface 2 - Valid Subnet IP (DMZ)(Defined as internal in the topology
Interface 3 - Cluster Management Subnet
Interface 4 - Internal

All the 4 interfaces are connected to their respective switches. The default route set in the voyager is set to gateway in the external subnet.

I am unable to route any traffic from the DMZ to external or external to DMZ, though the CKP policy allows all the traffic to be allowed.

I have another 2 IPSO clusters which are configured the same way but i just can't get the traffic pass through in the DMZ. Is there anything i am missing ?

Any pointers are apreciated.

Thanks
 
Hi,

is the DMZ network routed correctly?
Can you issue a trace? Where does it end?
If you have a look into the tracker do you see any dropped packets?
I suppose you can reach every PC/server within the DMZ switch on L2 level, is the switch config ok?

Jaro
 
Hi Jaro,

I think i have set up the traffic routing correctly but from the DMZ hosts i can't ping the DMZ subnet default gateway at the ISP place. I have only one default route pointing to my external IP's gateway which is at the ISP router.

The trace dies locally. I have not seen any dropped packets in the tracker and all packets are getting forwarded.

I can reach every PC/Server in the DMZ switch on Layer 2 and this switch is a unmanaged switch.
 
do you see any dropped packets on tracker?

do you have anti spoofing defined on he interfaces, if so have you included all the relevant networks?

do you have route statements for the DMZ subnet with the gateway as the DMZ interface?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top