Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

New VPN/SecureClient Install

Status
Not open for further replies.
rstockton

rstockton

MIS
Aug 13, 2001
118
US
I have a couple questions regarding Checkpoint NG/VPN.

My Nokia IPSO box has 3 interfaces (note: addresses are fake):

External: 172.20.20.20/24 (yes, not routable)
DMZ: 12.12.12.12 (routable)
Internal: 10.10.10.10/24 (non routable). 1 or 2 static xlates. The rest as a Hide

All licences are registered to 172.20.20.20 and the Firewall object is 172.20.20.20

Also functions as management server

From the Internet, I will tell the SecurClients to point to 12.12.12.12. Does the firewall object itself need to be changed to be the routable DMZ interface?. I cannot change the external interface to a real address as that would muck up the routing from the outside which is out of my control. The external interface needs to stay as is.

Thanks
 
Sort by date Sort by votes
I dont know alot about SecureClient but my understanding of routing is that from the secure client you will need to get to the DMZ (Through the firewall)

If you have spare (valid) IP addresses from the range of the external interface of the firewall then you could use static NAT for each of the objects in the DMZ.

This works while you have enough spare external IP addresses to match the number of machines in the DMZ that require
 
Upvote 0 Downvote
The goal is to have SecureClient access private networked resources not necessarily in the DMZ. My understanding is that the VPN client must connect to (through?) a known address then, once authenticated, routing should be able to occur as the the "remote" machine is "local"

The DMZ objects all have non-NATd real and published addresses.

Thanks for your help.
 
Upvote 0 Downvote
if your secure clients can route to the firewall then try adding a route on the client to the 12.12.12.12 using the firewall as the gateway.
or 12.12.12.0 mask 255.255.255.0 for the whole network.
and check that the firewall has routes to 12.12.12.0
i dont know if this is any more help.
 
Upvote 0 Downvote
At this point, I'm not that far in the process. I was wondering if there was a need to have the Nokia Firewall Object defined w/a real address as apposed to a non-routable address. The DMZ is all real addresses and I was wondering if the Firewall Object needed that address since that address is what the VPN client will be pointing to from the Internet for it's Policy, etc.

Thanks
 
Upvote 0 Downvote
The router on the outside of the firewall should have the firewall external address as its next hop for any registered addresses (DMZ or NAT internal addresses).
usualy this is a valid registered IP address unless you have NAT on the external router

if your internal addresses can connect to the internet then run a tracert from there and follow the path or go to and do a tracert back to your network. (It should get most of the way back until it hits the firewall)

If your external facing IP addresses arnt valid and you are connecting to the internet then NAT must be happening somewhere

i am a little confused by your term or routed addresses i am making the assumption that routed means that they are registered valid IP addresses (to you) rather than addresses in a reserved range
 
Upvote 0 Downvote
Sorry for the confusion. Yes, I'm refering to valid Inet addresses as "routed".

Here's my setup:

Internet
|
<13.13.13.13)
router
<172.20.20.1>
|
<172.20.20.20>
Firewall - <12.12.12.12> - DMZ
<10.10.10.10>
|
Internal LAN

(I hope this formats to the board OK)

The Internal LAN browses the web using a NAT Hide. The DMZ hosts web sites with &quot;real&quot; addesses (i.e. not NAT'd). Routing is working like a champ. Users can browse the Woolly Web and external folks can hit our websites. (Have been for a while) I'm in the process of setting up VPN (never done this before). Since the SecureClient needs to point to the 12.12.12.12 address (from the Internet) to get it's Desktop Policy (as 12.12.12.12 is &quot;real&quot;) I was wondering if I needed to redefine the Firewall Object on the firewall itself to be 12.12.12.12 and go through the process of re-licencing the box. Currently my Firewall Object is the external interface (172.20.20.20)

Thanks for your patience.
 
Upvote 0 Downvote
i presume that all your current live servers are in the 12.12.12.12 range
if so then routing to your 12.12.12.12 addresses is fine from the internet so shouldnt require any changes to your routing.
if for secureclients you need to route to the firewall
use the trace route facility at
to your firewall external address and see if it get there (or close as it may not get to the firewall itself)

i am assuming that the internal network hides behind an address close to that of the firewall (i.e. 170.20.20.19)
 
Upvote 0 Downvote
Yes, the internal net &quot;hides&quot; but not in how you think. The external interface is *not* a &quot;real, routable, Internet&quot; address. The hides are 14.14.14.14 And routing is not the issue at this point. The question is:

&quot;do I need to redefine my Firewall Object within Checkpoint NG to the interface that the VPN clients are connecting to to receive policy updates?&quot;

Thanks
 
Upvote 0 Downvote
I think i am getting the idea now..(i hope)
my understanding is that for the external clients to connect they will need to be able route to the DMZ. but the secureclient needs to bind to the firewall as part of the configuration ( i have been reading up) so it therefore needs to be able to route to the firewall address.
as your firewall has a reserved address you might be able to get round this by using a static NAT on the firewall to a routable address. this wont require you to change your firewall addressing and will still receive current routing but will allow direct connections ( your firewall will now have an internet presence so be carefull of rules)


 
Upvote 0 Downvote
P.S. you then use this valid IP address for your secure clients to connect to
 
Upvote 0 Downvote
HI

AFTER READING EVERYTHING ABOVE...i SUGGEST U THAT U MUST USE STANDARED CONFIGURATION. I MAY NOT BE 100% RIGHT BUT I AM TELLING HOW THE SET UP USE TO BE IN ISP.

FIREWALL SHOULD HAVE A VALID INTERFACE WITH ONE VALID IP AND REST I/F WITH NON VALID. ALL NON VALID I/F MUST BE NATATED IN FIREWALL. ANY REQUEST THAT COMES TO DMZ FIRST COMES TO FIREWALL WHERE IT IS TRANSLATED, AUTHENTICATED AND AUTHORIZED AND PROVIDE ACCES.

YOU MUST HAVE VALID EXTERNAL I/F IN PURE SENSE TO OVERCOME ALL OTHER VPN PROBLEM. DO YOU ALL AGREE WITH ME !
NILESH
 
Upvote 0 Downvote
I agree .... but do you know where your CAPS LOCK button is??

;-)

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************
 
Upvote 0 Downvote
Thanks Piloria. Another source told the the same thing but that it would only work if the NAT was performed on the external routers.

I'll try both. Checkpoint confirmed that this was do-able.

-r

 
Upvote 0 Downvote
Yes,
The firewall NATed address must still be routable from the external router so if you can do a NAT at the external router that would probably be simpler.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
592
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
210
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
730
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
160
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
142
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top