Hi All,
I was testing a design where I wanted to allocate an IP address from an IP Pool to SecureClient users.
I read up on the Check Point recommended way to do this and they say an IP subnet that is not part of the encryption domain, and is obviously not being used in the site network, should be used.
They also say internal devices should route through the firewall to reach this IP Pool subnet.
To me this says the firewall should act as the router/ gateway for the SecureClient (First Question)? But how do I go about configuring such a thing?
For example, my internal network is 192.168.1.0/24 and I have allocated 192.168.254.0/24 for Secure Clients. I create a Network Object, assign this as the Remote Access NAT pool, configure my rules and I can even see that my IP Pool addresses are being actively assinged to SecureClients by checking the diagnostics screeen in SecureClient. All sems fine until these clients cannot route to the Internal LAN!
How are the 192.168.250.0/24 devices (SecureClients) suposed to route to the Internal Network 192.168.1.0/24? As I say above, Check Point say the firewall should be the gateway to the SecureClient IP Pool, but how if there is no physical interface in that subnet?
I essentially need to allocate a free subnet for remote users to be allocated and have them route to the destination network. If anyone can spot what I a missing here please can you share this with me?
(One late bit of news I just considered... if I include 192.168.254.0/24 in my firewall topology configuration (i.e. say it is behind the internal interface) will that work?)
Regards,
p0000h
I was testing a design where I wanted to allocate an IP address from an IP Pool to SecureClient users.
I read up on the Check Point recommended way to do this and they say an IP subnet that is not part of the encryption domain, and is obviously not being used in the site network, should be used.
They also say internal devices should route through the firewall to reach this IP Pool subnet.
To me this says the firewall should act as the router/ gateway for the SecureClient (First Question)? But how do I go about configuring such a thing?
For example, my internal network is 192.168.1.0/24 and I have allocated 192.168.254.0/24 for Secure Clients. I create a Network Object, assign this as the Remote Access NAT pool, configure my rules and I can even see that my IP Pool addresses are being actively assinged to SecureClients by checking the diagnostics screeen in SecureClient. All sems fine until these clients cannot route to the Internal LAN!
How are the 192.168.250.0/24 devices (SecureClients) suposed to route to the Internal Network 192.168.1.0/24? As I say above, Check Point say the firewall should be the gateway to the SecureClient IP Pool, but how if there is no physical interface in that subnet?
I essentially need to allocate a free subnet for remote users to be allocated and have them route to the destination network. If anyone can spot what I a missing here please can you share this with me?
(One late bit of news I just considered... if I include 192.168.254.0/24 in my firewall topology configuration (i.e. say it is behind the internal interface) will that work?)
Regards,
p0000h