SNX issue

[dbs0026]

We have our management server located in Cincinnati, Ohio. From this site we have different sites across the US that are enforcement points for their office there.



All of our networks are connected via the Verizon cloud. we don’t have a specific VPN built from Cincinnati to Atlanta or Cincinnati to California via Checkpoint.



When we are in our office in Cincinnati, Atlanta, California, etc we are able to remote desktop to the other sites, no problem at all. When we connect via SecuRemote we can RDC to just the site we connected to. So if I am at home and I connect to my office in Cincinnati, I can only RDC to the computers in Cincinnati, I cannot RDC to computers in another location. This is the same with using SecuRemote at all the other locations.



So the problem is that when in the office, you can RDC to any location you want to. But when you are out of the office and connecting via SecuRemote you cannot. So to help combat that issue along with accomplishing a clientless VPN solution for our users we have started to test SSL Network extender. So with SNX, I read and was told that when you connect you should have no issue getting to the other locations. It should literally be like you are sitting at work at your computer. When you connect from your home PC, you should be able to RDC to any location.



The problem is that I can’t do that. I am still only able to connect to OUR network and no one else’s when I use SNX.



We do have separate encryption domains for each location on their firewall. So here in Cincinnati, our encryption domain includes all of the subnets IN Cincinnati. In Atlanta, it’s all the subnets there, but NOT ours. It’s my understanding that we can’t have overlapping encryption domains.



What could the cause of my problems be? Am I missing something in the setup of the firewall? Thank you in advance!

[abusharif]

sorry for brief respons.....am in a hurry

Its vpn routing issue

1) If you are using securemote/secureclient make sure you have "route all traffic" enabled, because NO traffic thats not part of your vpn gateways encryption domain will be sent by secureclient to the gate.

2) Depending on version of checkpoint, you have also possibility to define different REMOTE ACCESS community besides the one defined by topology/interfaces. Check your gateway object.

3) Also check checkpoint pdf's for vpn_route.conf file for vpn routing accross gateways

Depends a bit on checkpoint versions etc.


edit: snx uses same encryption domain settings as securemote/client

[dbs0026]

Thanks for the replay. We are using NGX R65 with Windows 2003.


Would I still want to edit the vnp_route.conf file for this ???

It's confusing b/c I can get all the routes when I sign in, it's just that if I try and ping something I get the destination unreachable or RDC will not open the client up.

Quote:

Originally Posted by abusharif

sorry for brief respons.....am in a hurry

Its vpn routing issue

1) If you are using securemote/secureclient make sure you have "route all traffic" enabled, because NO traffic thats not part of your vpn gateways encryption domain will be sent by secureclient to the gate.

2) Depending on version of checkpoint, you have also possibility to define different REMOTE ACCESS community besides the one defined by topology/interfaces. Check your gateway object.

3) Also check checkpoint pdf's for vpn_route.conf file for vpn routing accross gateways

Depends a bit on checkpoint versions etc.


edit: snx uses same encryption domain settings as securemote/client