• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6233
  • Last Modified:

DHCP configuration on Checkpoint

I am facing a difficulty in the WLAN clients(Laptops etc) getting an IP address dynamically from the DHCP scope configured on Checkpoint.The wireless clients are behind cisco wireless access points.The wireless AP is able to recieve the IP address dynamically from the checkpoint firewall.Needhelp in understanding the issue.

0
sasha1975
Asked:
sasha1975
  • 12
  • 10
1 Solution
 
PugglewuggleCommented:
Usually this is an authentication problem with wireless security. The indicator is that the AP gets an address but clients don't which tells me that aren't even getting on the network to recieve a DHCP address. Can you please confirm you're using the same cipher (TKIP or AES), encryption algorithm (WPA, WEP etc.), and key (password) on the devices? Also, if you're using WPA2, do the laptosp support WPA2 security?
If this doesn't work, the try disabling security and see if you get an address on the clients. If you do, then security is the issue.
Sometimes WEP causes issues with this... avoid using WEP whenever possible. it can be cracked in 40 seconds and is not considered secure. Use at minimum WPA instead.
Cheers! :-) Let me know!
 
0
 
sasha1975Author Commented:
we have disabled encryption and also disabled security but still the issue persists.We are using centralized architecture for wireless.WLAN controller is being used and the access points are operating in lightweight mode
0
 
PugglewuggleCommented:
Oooohhhh you didn't say you were using LWAPP.
Do they have the autonomous software or are they LW only? If they can operate in autonomous mode, I say take one off the WLAN controller and test it seperately to see if you get the same issue.
Another thing -  you don't have the WLAN controller filtering or have some sort of IPS on it do you?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
sasha1975Author Commented:
The access points which we have are LW only.We have been able to provide Wireless clients IP address by configuring DHCP scope on the WLAN controller.We are facing an issue when we try to configure DHCP on checkpoint to assign IP addresses to the accesspoint and WLAN clients who would get connected to the production network through checkpoint.

connectivity is shown below:

Laptop----Access point-----checkpoint(DHCP configured)------Access switch-------Core Switch------WLAN controller

By default, the AP and WLAN clients would get a private IP address which would be natted to get to the production LAN.Could you please tell me if cisco access points are recognized by checkpoint as access point and accept multiple DHCP requests coming from the AP or a single device.What i feel is that checkpoint is not accepting any DHCP requests coming through the access point except for the DHCP request that the access point sends across,correct me if i am wrong.
0
 
PugglewuggleCommented:
Okay I see... so why do you have a checkpoint firewall there in the first place?
Yes, the problem is checkpoint not allowing DHCP through - DHCP is a broadcast protocol and doesn't work across routers (unless commands are configured), firewalls, or IPsec VPN.
It is not standard practice to have a firewall splitting up a network like that. My advice is to get rid of it. Just secure your APs with WPA or better and you'll be just fine. Nobody is going to get in that doesn't have a certificate or the password, depending on what you configure.
0
 
sasha1975Author Commented:
The use of checkpoint has been made a mandate by the security team and they want to control access to the network by use of checkpoint. Is there any way i can get checkpoint to provide IP address to a laptop trying to connect to checkpoint via access point.The investment on the opurchase of checkpoints has already been made.
0
 
PugglewuggleCommented:
Hmmm... how big is the company? You don't use a firewall to control internal access - that's just stupid. You use things like NAC and MAC filtering.
The only way you're going to be able to get the DHCP requests to the server is by using a thing called a directed broadcast - that's where a device that breaks up a broadcast domain collects the request and forwards it to the DHCP server in another network. If that won't work then the only viable option is to setup a DHCP server or assign clients behind this checkpoint a static IP (yuck!).
Sounds like the security team doesn't quite know what they're doing when it comes to internal access protection measures.... woops, did I say that?
0
 
PugglewuggleCommented:
One other thing - if you can't get this working and have strong grounds on which to stand, I suggest you turn this into the security teams problem - not to punish them - but to make them understand why this isn't a suitable application for a firewall and why to use other technologies.
0
 
sasha1975Author Commented:
Thanks for the quick response...The issue here is that we are using checkpoint as DHCP server providing IP addresses to the wireless clients.Where do you want me to enable directed broadcast on.
0
 
PugglewuggleCommented:
Oh. I'm sorry I thought you had the checkpoint setup to act as a DHCP relay.
It that case, you don't need directed broadcast. You should just be able to configure it as a DHCP server like you say you have it and it should work.
Make sure the scope is active and that it's in the same network/subnet as the clients are supposed to be in. The checkpoint's IP address must be in that range as well.
Please let me know how you have it.
0
 
sasha1975Author Commented:
the AP point is picking the IP address from the checkpoint(which was the case earlier as well) but the wireless clients(laptops) trying to get an IP address from the checkpoint are unable to so. The connectivity that i am trying is as follows:

Laptop------Access point-------Checkpoint
0
 
PugglewuggleCommented:
Hmmm... try setting the APs up with a static IP outside the DHCP scope.
From what you're saying DHCP is working fine on checkpoint.
Please post the config... btw you might consider increasing the points... this is getting kind of long. :P
0
 
sasha1975Author Commented:
does checkpoint identify requests coming into through the access point from various wireless clients.AP does not have any issues getting the IP address from the DHCP scope configured on checkpoint.does not seem to be a checkpoint configuration issue.My doubt is that Checkpoint does not accept more than one request coming from the checkpoint for IP addresses.In our case, the laptops are trying to reach the checkpoint for Ip through the access point.Any comments
0
 
PugglewuggleCommented:
I'm thinking checkpoint sees them as coming from the AP and not the clients for some reason.
Can you please setup one of the lappies with a static IP and the correct subnet/gateway info and see if you can talk to the rest of the network?
Also,Can you please post the AP config?
0
 
sasha1975Author Commented:
I have tried assigning the laptop with a static IP address but still am unable to connect to the network through the access point. Will let you know the AP configuration shortly
0
 
PugglewuggleCommented:
Okay... hmmm... can you ping the checkpoint or the AP?
Please post config ASAP.
Cheers!
0
 
sasha1975Author Commented:
We are not able to ping the checkpoint nor AP when we assign a static IP address to the laptop.
0
 
PugglewuggleCommented:
Are you sure the laptop is in the same subnet, has the same subnet mask, and the default gateway should be the IP of the checkpoint server's IP address that the AP uses as its DHCP server?
0
 
sasha1975Author Commented:
thats right...the default gateway is the IP of the checkpoint....I can see the laptop assosiated in the WLAN controller but am unable to get connected to the production network.
0
 
PugglewuggleCommented:
Hmm.... do you have any ACLs?
Can you please post that config I asked for?
0
 
sasha1975Author Commented:
Guess i have understood what the issue is....LWAP creates a tunnel with the WLAN controller and any communication between the end client and WLAN controller happens over the tunnel bypassing the checkpoint.
0
 
PugglewuggleCommented:
Ahhhh, yes, that would make sense. In that case, the DHCP server needs to be specified in the WLAN controller and the controller needs to be inside the Checkpoint.
Let's see if that helps!
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 12
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now