[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Incoming NAT for SecuRemote users
> is it possible to NAT the ISP-IP-address of a SecuRemote client with a > reserved IP-address from my LAN IP-range? There are two ways of donig this. In CheckPoint NG, you can use a feature called Office Mode. This was available as an upgrade from the base software installation and it requires that all of your components, GUI, Firewall, and SR client be running NG. I have not played with Office Mode much yet, but the way it works is that the SR client will contact the firewall, and through a process similar to DHCP it will be assign a firewall, DNS server, and other information. The client then uses these values when connecting to the LAN. The other way of doing this, and the only way that works with versions before NG, is to use an IP_NAT_Pool. Enable IP_NAT_Pools in the firewall policy properties window. Then, define an IP subnet or IP range with the IP's that you want incoing clients to use. This should be a part of the network attached to the firewall that the clients will access. Next, click on the firewall object and under the NAT or VPN tab (I forget which) enable IP NAT Pools and select the address range you defined earlier. Finally, you must add a published ARP entry for every IP address in the range with the firewalls MAC address so that return traffic can be routed back to the client through the firewall! Unless you have static NAT's defined somewhere else, local.arp will not work on the Windows platform as it will not read the file. CheckPoint released a seperate ARP utility which you might prefer to use (Also, local.arp is not working under Windows 2000 thanks to Microsoft I believe). I prefer the IP NAT Pool method for hiding connections because I am still not familiar enough with Office Mode to be comfortable with it. Please keep in mind that when using IP NAT Pools, _ALL_ VPN connections are NAT'd, not just SR connections. If you have Site to Site VPN's, these will be NAT'd as well. You must make sure to take this into account when using this feature. -Don ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|