 | ||
 Same LAN IP Range at Client site and Server site | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-02-28 | |||
| |||
 Same LAN IP Range at Client site and Server site Dear All My Office uses different network ranges which include 172.21.0.0/16 and 10.0.0.0/8 range. A user group sitting on 10.0.0.0/8 LAN uses Secure client/securemote to connect to some other Office. When connected they get a new IP asigned to their system and some route added (Office Mode). One of the route that get added is 172.21.0.0/16. Due to which Our servers which are on 172.21.0.0/16 in my network become unaccessible. connectivity is our networks are getting terminated on a L3 Switch. L3 switch to router, router to internet and internet to remote site where the Smart server is kept to which users are connecting. Please help urgent...  |
| 2007-02-28 | |||
| |||
| Re: Same LAN IP Range at Client site and Server site Viyant, Is the other office owned by your company as well (i.e. not a different company)? If so, would it not be easier just to create a site-to-site VPN? |
| 2007-02-28 | |||
| |||
| Re: Same LAN IP Range at Client site and Server site Sir The other office is not administored by me. Its our Clients network and we dont have any kind of access to it. Thanks Time is running out .......................:( |
| 2007-02-28 | |||
| |||
| Re: Same LAN IP Range at Client site and Server site The problems you have are:- 1. You don't administer the 'other' network. 2. Their office mode IP pool is the sam as you use internally. Bottom line is, if they are dishing out OM ips that conflict with ones you're using internally you are going to get conflicts which will mean the client will have problems connecting to your 172.21.0.0/16 network. Slightly OTT but:- If you don't administer the 'other' site how do you ensure the sanity of the clients connecting from your site (type of policy downloaded etc). What would concern me, if I were you, is the fact that you are in effect bridging your network with one you have no control over. How do you ensure you are not introducing any risk into your network from the one your clients are connecting to? |
| 2007-02-28 | |||
| |||
| Re: Same LAN IP Range at Client site and Server site Sir I could not properly understand what you said after "If I were you .." But to explain: when the users (e.g User A)from my office connect to Smart server kept on the remote site then they (User A) get an IP assigned to their system (Office mode). as well some 10 to 15 route gets added and a Desktop security policy gets implimented to their (User A) machine. Desktop security policy puts inbound aswell outbound rules. One of the routes added after VPN connection is 172.21.0.0, and my server IP that needs to be accessed locally is 172.21.100.12. As I understand from your question is that if I allow 172.21.100.12 accessible from these system then the people sitting at remote end to which these (User A) are connecting will be able to access my server after VPN connectivity. But for this I feel that as they have the same network running at their end the packets will be not be routed at our side, else we can put access list on our L3 Switch for this perticular VLAN. But primarily I want the access of my server 172.21.100.12 even when the user A is connected to VPN. Is it possible... some changes in userc.c ?? or bypassing checkpoint virtual interface for a perticular IP ?? |
| 2007-03-01 | |||
| |||
| Re: Same LAN IP Range at Client site and Server site Vijayant, What I mean by "If I were you" is "If I was in your position / If I was doing your job / duties." I don't know your network setup so can't comment in depth but If I was responsible for your network my concerns would be that you have policys / configurations set by an external party pushed out to machines on your internal LAN. Are the machines on your network that recieve these policys administered by you (i.e. are they your company's machines)? How can you have confidence that these machines are clean / have no vulnerabilities etc? With regard to the original question. I am not entirely sure I understood correctly. I assumed that your VPN clients were being given an Office Mode IP address in the range 172.21.0.0/16 and this conflicts with one you use internally. Is this correct? |
| 2007-03-01 | |||
| |||
| Re: Same LAN IP Range at Client site and Server site Hi Joncon We have an L3 switch on which many vlans are configured. Of this one VLAN is 172.21.0.0, other 10.0.0.0 etc. A user group is conncting to some remote site from vlan 10.0.0.0. when connected they get an IP of range 192.168.1.0 assigned to their system. Once connected to remote location via VPN the users could not connect to my server on 172.21.0.0 network because one route gets added to their machine saying 172.21.0.0 is at remote location. Now what should I do for my servers of 172.21.0.0 range to be accessible as well. |
| 2007-03-01 | |||
| |||
| Re: Same LAN IP Range at Client site and Server site Vijayant, when your users are connected to the remote site are they still able to access your 10.0.0.0/8 segment? How is the (remote) route 172.21.0.0 added to the machines on your network? Userc.c? |
| 2007-03-01 | |||
| |||
| Re: Same LAN IP Range at Client site and Server site Dear Joncon When the users get connected to VPN then only new routes appear in the routeing table of the machine. So that means the new routes are pushed by the remote end. For the new routes that gets added the traffic is forwarded to remote end and for rest of the traffic (e.g one more range in my intranet is 202.41.X.X) is routable locally. That means communication to Servers in this range is still possible even when the users are connected to VPN. I want to get a solution for this because I feel its a very genuine issue that many more can face. Thanks |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
