RE: Checkpoint VPN through One valid IP

["Kalat, Andrew (ISS Atlanta)" <akalat () iss net>]

Nate,
It sounds like you have some of the personal firewalling for SecuRemote
(called SecurClient when you use these features) enabled. At least, that's
the read I get from the error you mentioned. That's not a normal SR error,
but a SecurClient error. Couple of things I would try:
1) Disable all SecurClient options on the firewall policy. 
2) Reinstall SR without desktop protection.
3) Make sure your encryption domain is correct.
4) Check the files on the client to ensure SR is downloading the topology
correctly. (userc.C I believe)

Give that a shot. That should at least remove one variable.
Hope this helps.
Andrew Kalat





---------------------------------------------------------
Andrew J. Kalat,                | Direct:(404)236-2713 
IT Infrastructure Manager       | Main:  (404)236-2600
Internet Security Systems, Inc. | E-Mail: akalat () iss net
6303 Barfield Road                | http://www.iss.net/
Atlanta, GA 30328                         | PGP key available.


-----Original Message-----
From: NHawkins () bsc-rscservices com [mailto:NHawkins () bsc-rscservices com]
Sent: Thursday, August 23, 2001 10:13 AM
To: firewall-wizards () nfr com
Subject: [fw-wiz] Checkpoint VPN through One valid IP


I'm trying to do a complete solution through one valid IP (Everything from
VPN, to web hosting to FTP access...etc) and so far I have everything
working, but I have some VPN quirks. I have an internal network (10 network
address space) hiding behind the one valid IP and it sees the I-net
beautifully. The VPN actually works (my Checkpoint solution is a
distributed environment - Firewall on one server, management console on
another server, and GUI clients on two other seperate workstations), but it
doesnt authenticate like other multi valid IP address Checkpoint
environments that I support. I have a translation rule on the Firewall that
incoming secure remote requests are translated to the internal management
console box (FW1_TOPO service) and it authenticates at that time however
when I try to access the internal network (I like to use PC Anywhere) I get
a notification: "User successfully authenticated by VPN-1" then it says
below "You are using an inappropriate policy. Load a new policy from your
Policy Server." I do an update of the policy and everything works at that
point. It seems to me that I need to either translate another service or I
am not doing something correctly. In addition to this if I check the
checkbox "Apply Rule Only if Desktop Configuration Options are Verified" in
Properties of Client Encryption then my VPN doesnt work at that point.

Any advice would be appreciated!

Regards,
Nate Hawkins
WAN Administrator - Advanced Systems Analyst.
Beaumont Services Company L.L.C.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards