VPN Symantec Gateway Security - Checkpoint Firewall

VPN Symantec Gateway Security - Checkpoint Firewall

am 26.10.2006 15:33:26 von sk71

Hi all.

Can anybody help me to following problem?

I have to connect a Symantec Gateway Security 5400 Series (SGS) to a
Checkpoint firewall. Only some Client's behind the SGS should be able
to connect to the Checkpoint firewall per Checkpoint Client Software.

The Checkpoint Client Software tell me, that the VPN connection works.
But i can't reach any host in the network behind the Checkpoint
Firewall. The Administrator of the Checkpoint Firewall (CPF) told me
that all packages leave the firewall correct, so it seems the SGS is
probably not configure right.

A VPN connection without SGS, only the Checkpoint Client Software, is
working great.
So, the problem is really the SGS and its configuration.

Greetings
Stefan

Re: VPN Symantec Gateway Security - Checkpoint Firewall

am 28.10.2006 14:08:15 von moncho

sk71@gmx.de wrote:
> Hi all.
>
> Can anybody help me to following problem?
>
> I have to connect a Symantec Gateway Security 5400 Series (SGS) to a
> Checkpoint firewall. Only some Client's behind the SGS should be able
> to connect to the Checkpoint firewall per Checkpoint Client Software.
>
> The Checkpoint Client Software tell me, that the VPN connection works.
> But i can't reach any host in the network behind the Checkpoint
> Firewall. The Administrator of the Checkpoint Firewall (CPF) told me
> that all packages leave the firewall correct, so it seems the SGS is
> probably not configure right.
>
> A VPN connection without SGS, only the Checkpoint Client Software, is
> working great.
> So, the problem is really the SGS and its configuration.

What we do in these types of situations is a one-one NAT for each
internal IP that needs to connect. Most likely your SGS is not
allowing the packets back in. That is why I always test with a dial-up
connection first and then try from behind the firewall.

On the SGS side, setup a one-one NAT for each internal client to
one of your assigned external IP's and allow the necessary ports.

moncho

Re: VPN Symantec Gateway Security - Checkpoint Firewall

am 28.10.2006 23:37:08 von larstr

sk71@gmx.de wrote:
: Hi all.

: Can anybody help me to following problem?

: I have to connect a Symantec Gateway Security 5400 Series (SGS) to a
: Checkpoint firewall. Only some Client's behind the SGS should be able
: to connect to the Checkpoint firewall per Checkpoint Client Software.

If office mode is enabled on the central Checkpoint firewall, you can
enable it manually on the checkpoint vpn client (Settings, choose VPN,
properties, advanced, connectivity enhancements, visitor mode). This
will make all vpn traffic to go through the https port (443). It even
works through a proxy server if needed (Options, Configure proxy
settings).

Office mode works both in Securemote and SecureClient.

This way will not give you the fastest way (IPSEC tunnel over SSL on
tcp), but it is the one that will give you the least headaches when
travelling users are connecting home.

Good luck!

Lars