Solved

DHCP configuration on Checkpoint

Posted on 2008-09-29
22
5,714 Views
Last Modified: 2013-11-16
I am facing a difficulty in the WLAN clients(Laptops etc) getting an IP address dynamically from the DHCP scope configured on Checkpoint.The wireless clients are behind cisco wireless access points.The wireless AP is able to recieve the IP address dynamically from the checkpoint firewall.Needhelp in understanding the issue.

0
Comment
Question by:sasha1975
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 10
22 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22598943
Usually this is an authentication problem with wireless security. The indicator is that the AP gets an address but clients don't which tells me that aren't even getting on the network to recieve a DHCP address. Can you please confirm you're using the same cipher (TKIP or AES), encryption algorithm (WPA, WEP etc.), and key (password) on the devices? Also, if you're using WPA2, do the laptosp support WPA2 security?
If this doesn't work, the try disabling security and see if you get an address on the clients. If you do, then security is the issue.
Sometimes WEP causes issues with this... avoid using WEP whenever possible. it can be cracked in 40 seconds and is not considered secure. Use at minimum WPA instead.
Cheers! :-) Let me know!
 
0
 
LVL 1

Author Comment

by:sasha1975
ID: 22609581
we have disabled encryption and also disabled security but still the issue persists.We are using centralized architecture for wireless.WLAN controller is being used and the access points are operating in lightweight mode
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22610366
Oooohhhh you didn't say you were using LWAPP.
Do they have the autonomous software or are they LW only? If they can operate in autonomous mode, I say take one off the WLAN controller and test it seperately to see if you get the same issue.
Another thing -  you don't have the WLAN controller filtering or have some sort of IPS on it do you?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 1

Author Comment

by:sasha1975
ID: 22618747
The access points which we have are LW only.We have been able to provide Wireless clients IP address by configuring DHCP scope on the WLAN controller.We are facing an issue when we try to configure DHCP on checkpoint to assign IP addresses to the accesspoint and WLAN clients who would get connected to the production network through checkpoint.

connectivity is shown below:

Laptop----Access point-----checkpoint(DHCP configured)------Access switch-------Core Switch------WLAN controller

By default, the AP and WLAN clients would get a private IP address which would be natted to get to the production LAN.Could you please tell me if cisco access points are recognized by checkpoint as access point and accept multiple DHCP requests coming from the AP or a single device.What i feel is that checkpoint is not accepting any DHCP requests coming through the access point except for the DHCP request that the access point sends across,correct me if i am wrong.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22618977
Okay I see... so why do you have a checkpoint firewall there in the first place?
Yes, the problem is checkpoint not allowing DHCP through - DHCP is a broadcast protocol and doesn't work across routers (unless commands are configured), firewalls, or IPsec VPN.
It is not standard practice to have a firewall splitting up a network like that. My advice is to get rid of it. Just secure your APs with WPA or better and you'll be just fine. Nobody is going to get in that doesn't have a certificate or the password, depending on what you configure.
0
 
LVL 1

Author Comment

by:sasha1975
ID: 22619491
The use of checkpoint has been made a mandate by the security team and they want to control access to the network by use of checkpoint. Is there any way i can get checkpoint to provide IP address to a laptop trying to connect to checkpoint via access point.The investment on the opurchase of checkpoints has already been made.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22619706
Hmmm... how big is the company? You don't use a firewall to control internal access - that's just stupid. You use things like NAC and MAC filtering.
The only way you're going to be able to get the DHCP requests to the server is by using a thing called a directed broadcast - that's where a device that breaks up a broadcast domain collects the request and forwards it to the DHCP server in another network. If that won't work then the only viable option is to setup a DHCP server or assign clients behind this checkpoint a static IP (yuck!).
Sounds like the security team doesn't quite know what they're doing when it comes to internal access protection measures.... woops, did I say that?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22619716
One other thing - if you can't get this working and have strong grounds on which to stand, I suggest you turn this into the security teams problem - not to punish them - but to make them understand why this isn't a suitable application for a firewall and why to use other technologies.
0
 
LVL 1

Author Comment

by:sasha1975
ID: 22619735
Thanks for the quick response...The issue here is that we are using checkpoint as DHCP server providing IP addresses to the wireless clients.Where do you want me to enable directed broadcast on.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22619756
Oh. I'm sorry I thought you had the checkpoint setup to act as a DHCP relay.
It that case, you don't need directed broadcast. You should just be able to configure it as a DHCP server like you say you have it and it should work.
Make sure the scope is active and that it's in the same network/subnet as the clients are supposed to be in. The checkpoint's IP address must be in that range as well.
Please let me know how you have it.
0
 
LVL 1

Author Comment

by:sasha1975
ID: 22619971
the AP point is picking the IP address from the checkpoint(which was the case earlier as well) but the wireless clients(laptops) trying to get an IP address from the checkpoint are unable to so. The connectivity that i am trying is as follows:

Laptop------Access point-------Checkpoint
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22620105
Hmmm... try setting the APs up with a static IP outside the DHCP scope.
From what you're saying DHCP is working fine on checkpoint.
Please post the config... btw you might consider increasing the points... this is getting kind of long. :P
0
 
LVL 1

Author Comment

by:sasha1975
ID: 22621692
does checkpoint identify requests coming into through the access point from various wireless clients.AP does not have any issues getting the IP address from the DHCP scope configured on checkpoint.does not seem to be a checkpoint configuration issue.My doubt is that Checkpoint does not accept more than one request coming from the checkpoint for IP addresses.In our case, the laptops are trying to reach the checkpoint for Ip through the access point.Any comments
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621745
I'm thinking checkpoint sees them as coming from the AP and not the clients for some reason.
Can you please setup one of the lappies with a static IP and the correct subnet/gateway info and see if you can talk to the rest of the network?
Also,Can you please post the AP config?
0
 
LVL 1

Author Comment

by:sasha1975
ID: 22631542
I have tried assigning the laptop with a static IP address but still am unable to connect to the network through the access point. Will let you know the AP configuration shortly
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22631668
Okay... hmmm... can you ping the checkpoint or the AP?
Please post config ASAP.
Cheers!
0
 
LVL 1

Author Comment

by:sasha1975
ID: 22634096
We are not able to ping the checkpoint nor AP when we assign a static IP address to the laptop.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22636024
Are you sure the laptop is in the same subnet, has the same subnet mask, and the default gateway should be the IP of the checkpoint server's IP address that the AP uses as its DHCP server?
0
 
LVL 1

Author Comment

by:sasha1975
ID: 22636061
thats right...the default gateway is the IP of the checkpoint....I can see the laptop assosiated in the WLAN controller but am unable to get connected to the production network.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22636115
Hmm.... do you have any ACLs?
Can you please post that config I asked for?
0
 
LVL 1

Author Comment

by:sasha1975
ID: 22653115
Guess i have understood what the issue is....LWAP creates a tunnel with the WLAN controller and any communication between the end client and WLAN controller happens over the tunnel bypassing the checkpoint.
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
ID: 22653585
Ahhhh, yes, that would make sense. In that case, the DHCP server needs to be specified in the WLAN controller and the controller needs to be inside the Checkpoint.
Let's see if that helps!
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Cisco router can be configured as a DHCP Server. There are advantages and disadvantages in making your Cisco router work as DHCP Server. Almost all the features for windows DHCP can be configured on Cisco-based DHCP server. Some of the features me…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question