On 9/13/06, Steve Willis wrote:
> We currently run a pair of Nokia ip350's in a HA pair. We have a public
> address for each of the firewalls plus one for the VIP. We have been
> successfully running SecureClient terminating on the VIP address without =

> problems. However we are about to migrate to a new ISP that wants us to
> allocate private addresses to the firewalls and the VIP and they will rou=

> from the newly allocated public address range to us.
> I am unable to see how SecureClient will work in this way. Our ISP assure=

> that this will work using NAT (they tell me this works on their PIX's). I
> managed to track down one document on the net that basically says that
> Checkpoint supplied an unsupported workaround, but even this will not work
> in a HA configuration, and I am certainly not interested in an unsupported
> option. I have agreed to try and get this working on the proviso that if =

> does not we will get public addressing for the firewalls, but so far I ha=

> been unsuccessful. Does anyone know if this is possible, and if so, any
> pointers?

If you have a recent version (NGX), you can use the Link Selection
feature (under the
VPN properties on your cluster object), and then say that your cluster is
"Statically NATed" behind NAT.

I don't know what unsupported workaround you are talking about, but if you =
referring to adding a fake external interface, this should work if you
enable the
dynamic interface resolving mechanism. :-)

HTH - Good luck!

- Mart=EDn.

-- =

**** =BFHoy qu=E9 haz hecho para ahorrar agua? - What have you done today
to save water? - O que voc=EA t=EAm feito hoje para conservar a =E1gua?
** Mi p=E1gina web: http://gama.fime.uanl.mx/~mhoz/
* "Somos consecuencia del pasado, y causa de nuestro futuro."
** My Linux - http://www.slackware.com =3D=3D My BSD - http://www.openbsd.o=
firewall-wizards mailing list