Re: [fw-wiz] Terminating Secureclient on a private address range
On 9/13/06, Steve Willis <firstname.lastname@example.org> wrote:[color=blue]
> We currently run a pair of Nokia ip350's in a HA pair. We have a public
> address for each of the firewalls plus one for the VIP. We have been
> successfully running SecureClient terminating on the VIP address without =[/color]
> problems. However we are about to migrate to a new ISP that wants us to
> allocate private addresses to the firewalls and the VIP and they will rou=[/color]
> from the newly allocated public address range to us.
> I am unable to see how SecureClient will work in this way. Our ISP assure=[/color]
> that this will work using NAT (they tell me this works on their PIX's). I
> managed to track down one document on the net that basically says that
> Checkpoint supplied an unsupported workaround, but even this will not work
> in a HA configuration, and I am certainly not interested in an unsupported
> option. I have agreed to try and get this working on the proviso that if =[/color]
> does not we will get public addressing for the firewalls, but so far I ha=[/color]
> been unsuccessful. Does anyone know if this is possible, and if so, any
If you have a recent version (NGX), you can use the Link Selection
feature (under the
VPN properties on your cluster object), and then say that your cluster is
"Statically NATed" behind NAT.
I don't know what unsupported workaround you are talking about, but if you =
referring to adding a fake external interface, this should work if you
dynamic interface resolving mechanism. :-)
HTH - Good luck!
**** =BFHoy qu=E9 haz hecho para ahorrar agua? - What have you done today
to save water? - O que voc=EA t=EAm feito hoje para conservar a =E1gua?
** Mi p=E1gina web: [url]http://gama.fime.uanl.mx/~mhoz/[/url]
* "Somos consecuencia del pasado, y causa de nuestro futuro."
** My Linux - [url]http://www.slackware.com[/url] =3D=3D My BSD - [url]http://www.openbsd.o=[/url]
firewall-wizards mailing list