1. Home
  2. Networking Firewalls
  3. VPN Symantec Gateway Security - Checkpoint Firewall

VPN Symantec Gateway Security - Checkpoint Firewall

Hi all.

Can anybody help me to following problem?

I have to connect a Symantec Gateway Security 5400 Series (SGS) to a Checkpoint firewall. Only some Client's behind the SGS should be able to connect to the Checkpoint firewall per Checkpoint Client Software.

The Checkpoint Client Software tell me, that the VPN connection works. But i can't reach any host in the network behind the Checkpoint Firewall. The Administrator of the Checkpoint Firewall (CPF) told me that all packages leave the firewall correct, so it seems the SGS is probably not configure right.

A VPN connection without SGS, only the Checkpoint Client Software, is working great. So, the problem is really the SGS and its configuration.

Greetings Stefan

Reply to
sk71
Loading thread data ...

What we do in these types of situations is a one-one NAT for each internal IP that needs to connect. Most likely your SGS is not allowing the packets back in. That is why I always test with a dial-up connection first and then try from behind the firewall.

On the SGS side, setup a one-one NAT for each internal client to one of your assigned external IP's and allow the necessary ports.

moncho

Reply to
moncho

snipped-for-privacy@gmx.de wrote: : Hi all.

: Can anybody help me to following problem?

: I have to connect a Symantec Gateway Security 5400 Series (SGS) to a : Checkpoint firewall. Only some Client's behind the SGS should be able : to connect to the Checkpoint firewall per Checkpoint Client Software.

If office mode is enabled on the central Checkpoint firewall, you can enable it manually on the checkpoint vpn client (Settings, choose VPN, properties, advanced, connectivity enhancements, visitor mode). This will make all vpn traffic to go through the https port (443). It even works through a proxy server if needed (Options, Configure proxy settings).

Office mode works both in Securemote and SecureClient.

This way will not give you the fastest way (IPSEC tunnel over SSL on tcp), but it is the one that will give you the least headaches when travelling users are connecting home.

Good luck!

Lars

Reply to
larstr

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.