Re: [fw-wiz] Terminating Secureclient on a private address range

On 9/13/06, Steve Willis <stevewillis@optusnet.com.au> wrote:[color=blue]
>
> We currently run a pair of Nokia ip350's in a HA pair. We have a public
> address for each of the firewalls plus one for the VIP. We have been
> successfully running SecureClient terminating on the VIP address without =[/color]
any[color=blue]
> problems. However we are about to migrate to a new ISP that wants us to
> allocate private addresses to the firewalls and the VIP and they will rou=[/color]
te[color=blue]
> from the newly allocated public address range to us.
>
> I am unable to see how SecureClient will work in this way. Our ISP assure=[/color]
me[color=blue]
> that this will work using NAT (they tell me this works on their PIX's). I
> managed to track down one document on the net that basically says that
> Checkpoint supplied an unsupported workaround, but even this will not work
> in a HA configuration, and I am certainly not interested in an unsupported
> option. I have agreed to try and get this working on the proviso that if =[/color]
it[color=blue]
> does not we will get public addressing for the firewalls, but so far I ha=[/color]
ve[color=blue]
> been unsuccessful. Does anyone know if this is possible, and if so, any
> pointers?
>[/color]

If you have a recent version (NGX), you can use the Link Selection
feature (under the
VPN properties on your cluster object), and then say that your cluster is
"Statically NATed" behind NAT.

I don't know what unsupported workaround you are talking about, but if you =
are
referring to adding a fake external interface, this should work if you
enable the
dynamic interface resolving mechanism. :-)

HTH - Good luck!

- Mart=EDn.

-- =

**** =BFHoy qu=E9 haz hecho para ahorrar agua? - What have you done today
to save water? - O que voc=EA t=EAm feito hoje para conservar a =E1gua?
** Mi p=E1gina web: [url]http://gama.fime.uanl.mx/~mhoz/[/url]
* "Somos consecuencia del pasado, y causa de nuestro futuro."
** My Linux - [url]http://www.slackware.com[/url] =3D=3D My BSD - [url]http://www.openbsd.o=[/url]
rg
_______________________________________________
firewall-wizards mailing list
[email]firewall-wizards@listserv.icsalabs.com[/email]
[url]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards[/url]