Problem: Check Point VPN-1 SecureClient Connection failed - Firewalls

This is a discussion on Problem: Check Point VPN-1 SecureClient Connection failed - Firewalls ; My network looks like this LAN---------Firewall-1/VPN-1------------PIX---------------------internet (Nokia IPSO 3.8) (NAT) (all interaface have private address) I try to connect to Firewall-1/VPN-1 using SecureClient R56 and Office mode. When the connection is perfomed from inside LAN everything works fine. (gateway is ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Problem: Check Point VPN-1 SecureClient Connection failed

  1. Problem: Check Point VPN-1 SecureClient Connection failed

    My network looks like this


    LAN---------Firewall-1/VPN-1------------PIX---------------------internet
    (Nokia IPSO 3.8) (NAT)
    (all interaface have private address)

    I try to connect to Firewall-1/VPN-1 using SecureClient R56 and Office mode.
    When the connection is perfomed from inside LAN everything works fine.
    (gateway is the interface inside LAN)
    When I try to connect from internet the site and authentication creates
    sucesfully. But tunnel don't work ( I'm connecting to translated outside
    interface)

    Firewall-1/VPN-1 on all interfaces have private address. And translation to
    the public adress is made on the PIX. PIX allows all trafic in both
    direction.

    On the remote host which try to connect to Firewall-1/VPN-1 i ran "srfw
    monitor" and I sow that SecureClient sends packet not to the translated
    outside address but to one of the private adress of Firewall-1?VPN-1
    (primary)

    And I think that this can be a problem
    Anyone has seen something like this before? and mayby someone knows how to
    configure this to works fine.



  2. Re: Problem: Check Point VPN-1 SecureClient Connection failed


    Hello,

    this behaviour is normal, the secureclient got from topology download
    the ip addresses of the firewall as well as encryption domain. The CP
    firewall has no clue that it is translated by a PIX somewhere, neigher
    does the secureclient.

    A workaround for that is to edit your user.C file on your secureclient
    computer and modify the external (private) IP of the CP fw by the public
    one of the PIX at every places it appears. The PIX should also forward
    packet it receives on the CP fw. But each time you update the site your
    modifications will be lost. So a much better solution: do the NAT on the
    CP and only route with the PIX.

    /Jean-Marc


    slavek wrote:

    > My network looks like this
    >
    >
    > LAN---------Firewall-1/VPN-1------------PIX---------------------internet
    > (Nokia IPSO 3.8) (NAT)
    > (all interaface have private address)
    >
    > I try to connect to Firewall-1/VPN-1 using SecureClient R56 and Office mode.
    > When the connection is perfomed from inside LAN everything works fine.
    > (gateway is the interface inside LAN)
    > When I try to connect from internet the site and authentication creates
    > sucesfully. But tunnel don't work ( I'm connecting to translated outside
    > interface)
    >
    > Firewall-1/VPN-1 on all interfaces have private address. And translation to
    > the public adress is made on the PIX. PIX allows all trafic in both
    > direction.
    >
    > On the remote host which try to connect to Firewall-1/VPN-1 i ran "srfw
    > monitor" and I sow that SecureClient sends packet not to the translated
    > outside address but to one of the private adress of Firewall-1?VPN-1
    > (primary)
    >
    > And I think that this can be a problem
    > Anyone has seen something like this before? and mayby someone knows how to
    > configure this to works fine.
    >
    >


+ Reply to Thread