Ok so here's the issue. I have a UTM-1 270 NGX R65 with VPN turned on. I am using the certificate method for authentication with the latest Secureclient installed (ver. NGX R60 HFA2 Build 002). A remote user can connect to the VPN using the Secureclient, get authenticated and successfully connected and assigned an IP through the IP Pool I have setup, also they get the dns servers I have them pointed to, but they can't access the internal LAN to get to our Exchange server and file servers, nor does their internet access work after connected.
Here is how I have my network/objects setup in the Checkpoint:
- Firewall: Checkpoint UTM-1 270 NGX R65, internal IP: 10.0.0.3 Ext. IP x.x.x.251
- Internal Lan 10.0.0.0/22 (10.0.0.0-10.0.3.254 for those that are lazy...) Auto Nat rules are inplace w/ matching security rules.
- IP Pool for VPN users 10.0.4.0/24 (10.0.4.0-10.0.4.254 again for those that are lazy...). Also I have IP pool with NO Nat setup.
- Security rule allowing any to any with VPN traffic for "remote access" being accepted.
- "Remote Access" setup for VPN with VPN user group (with all correct users inside group)
- Office Mode is enabled with users being given an IP from the Pool above. Hub mode is also enabled.
- IP spoofing is turned on with VPN IP Pool selected.
- DNS servers are assigned to the VPN users and are set as our local DNS servers
- Secureclients are set for Officemode and hub mode.
Once connected with Secureclient I can see the logs showing correct authentication with encrypted/decrypted packets being allowed. On the Secureclient side I see the user get assigned an IP from the IP pool and dns servers set. The Secureclient log shows deny and gives the error "Packet is from physical IP address but office mode is enabled". I have tried this from internally and remotely and I get the same issue. My traffic is blocked to any internal LAN so even if I try to ping a local server I get "can't find" etc. Any ideas?
