Solved

DHCP configuration on Checkpoint

Posted on 2008-09-29
22
5,264 Views
Last Modified: 2013-11-16
I am facing a difficulty in the WLAN clients(Laptops etc) getting an IP address dynamically from the DHCP scope configured on Checkpoint.The wireless clients are behind cisco wireless access points.The wireless AP is able to recieve the IP address dynamically from the checkpoint firewall.Needhelp in understanding the issue.

0
Comment
Question by:sasha1975
  • 12
  • 10
22 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Usually this is an authentication problem with wireless security. The indicator is that the AP gets an address but clients don't which tells me that aren't even getting on the network to recieve a DHCP address. Can you please confirm you're using the same cipher (TKIP or AES), encryption algorithm (WPA, WEP etc.), and key (password) on the devices? Also, if you're using WPA2, do the laptosp support WPA2 security?
If this doesn't work, the try disabling security and see if you get an address on the clients. If you do, then security is the issue.
Sometimes WEP causes issues with this... avoid using WEP whenever possible. it can be cracked in 40 seconds and is not considered secure. Use at minimum WPA instead.
Cheers! :-) Let me know!
 
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
we have disabled encryption and also disabled security but still the issue persists.We are using centralized architecture for wireless.WLAN controller is being used and the access points are operating in lightweight mode
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Oooohhhh you didn't say you were using LWAPP.
Do they have the autonomous software or are they LW only? If they can operate in autonomous mode, I say take one off the WLAN controller and test it seperately to see if you get the same issue.
Another thing -  you don't have the WLAN controller filtering or have some sort of IPS on it do you?
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
The access points which we have are LW only.We have been able to provide Wireless clients IP address by configuring DHCP scope on the WLAN controller.We are facing an issue when we try to configure DHCP on checkpoint to assign IP addresses to the accesspoint and WLAN clients who would get connected to the production network through checkpoint.

connectivity is shown below:

Laptop----Access point-----checkpoint(DHCP configured)------Access switch-------Core Switch------WLAN controller

By default, the AP and WLAN clients would get a private IP address which would be natted to get to the production LAN.Could you please tell me if cisco access points are recognized by checkpoint as access point and accept multiple DHCP requests coming from the AP or a single device.What i feel is that checkpoint is not accepting any DHCP requests coming through the access point except for the DHCP request that the access point sends across,correct me if i am wrong.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Okay I see... so why do you have a checkpoint firewall there in the first place?
Yes, the problem is checkpoint not allowing DHCP through - DHCP is a broadcast protocol and doesn't work across routers (unless commands are configured), firewalls, or IPsec VPN.
It is not standard practice to have a firewall splitting up a network like that. My advice is to get rid of it. Just secure your APs with WPA or better and you'll be just fine. Nobody is going to get in that doesn't have a certificate or the password, depending on what you configure.
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
The use of checkpoint has been made a mandate by the security team and they want to control access to the network by use of checkpoint. Is there any way i can get checkpoint to provide IP address to a laptop trying to connect to checkpoint via access point.The investment on the opurchase of checkpoints has already been made.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Hmmm... how big is the company? You don't use a firewall to control internal access - that's just stupid. You use things like NAC and MAC filtering.
The only way you're going to be able to get the DHCP requests to the server is by using a thing called a directed broadcast - that's where a device that breaks up a broadcast domain collects the request and forwards it to the DHCP server in another network. If that won't work then the only viable option is to setup a DHCP server or assign clients behind this checkpoint a static IP (yuck!).
Sounds like the security team doesn't quite know what they're doing when it comes to internal access protection measures.... woops, did I say that?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
One other thing - if you can't get this working and have strong grounds on which to stand, I suggest you turn this into the security teams problem - not to punish them - but to make them understand why this isn't a suitable application for a firewall and why to use other technologies.
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
Thanks for the quick response...The issue here is that we are using checkpoint as DHCP server providing IP addresses to the wireless clients.Where do you want me to enable directed broadcast on.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Oh. I'm sorry I thought you had the checkpoint setup to act as a DHCP relay.
It that case, you don't need directed broadcast. You should just be able to configure it as a DHCP server like you say you have it and it should work.
Make sure the scope is active and that it's in the same network/subnet as the clients are supposed to be in. The checkpoint's IP address must be in that range as well.
Please let me know how you have it.
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
the AP point is picking the IP address from the checkpoint(which was the case earlier as well) but the wireless clients(laptops) trying to get an IP address from the checkpoint are unable to so. The connectivity that i am trying is as follows:

Laptop------Access point-------Checkpoint
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Hmmm... try setting the APs up with a static IP outside the DHCP scope.
From what you're saying DHCP is working fine on checkpoint.
Please post the config... btw you might consider increasing the points... this is getting kind of long. :P
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
does checkpoint identify requests coming into through the access point from various wireless clients.AP does not have any issues getting the IP address from the DHCP scope configured on checkpoint.does not seem to be a checkpoint configuration issue.My doubt is that Checkpoint does not accept more than one request coming from the checkpoint for IP addresses.In our case, the laptops are trying to reach the checkpoint for Ip through the access point.Any comments
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
I'm thinking checkpoint sees them as coming from the AP and not the clients for some reason.
Can you please setup one of the lappies with a static IP and the correct subnet/gateway info and see if you can talk to the rest of the network?
Also,Can you please post the AP config?
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
I have tried assigning the laptop with a static IP address but still am unable to connect to the network through the access point. Will let you know the AP configuration shortly
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Okay... hmmm... can you ping the checkpoint or the AP?
Please post config ASAP.
Cheers!
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
We are not able to ping the checkpoint nor AP when we assign a static IP address to the laptop.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Are you sure the laptop is in the same subnet, has the same subnet mask, and the default gateway should be the IP of the checkpoint server's IP address that the AP uses as its DHCP server?
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
thats right...the default gateway is the IP of the checkpoint....I can see the laptop assosiated in the WLAN controller but am unable to get connected to the production network.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Hmm.... do you have any ACLs?
Can you please post that config I asked for?
0
 
LVL 1

Author Comment

by:sasha1975
Comment Utility
Guess i have understood what the issue is....LWAP creates a tunnel with the WLAN controller and any communication between the end client and WLAN controller happens over the tunnel bypassing the checkpoint.
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 500 total points
Comment Utility
Ahhhh, yes, that would make sense. In that case, the DHCP server needs to be specified in the WLAN controller and the controller needs to be inside the Checkpoint.
Let's see if that helps!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now