Re: [fw-wiz] Terminating Secureclient on a private address range - Firewalls
This is a discussion on Re: [fw-wiz] Terminating Secureclient on a private address range - Firewalls ; --===============0225594286==
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
HI Martin,
Thanks for the input, unfortunately I'm running NGAI R55 HFA17
Cheers
Dillan
> Martin Hoz wrote:
>
> On 9/13/06, Steve Willis wrote:
> >
> > We currently run a ...
-
Re: [fw-wiz] Terminating Secureclient on a private address range
--===============0225594286==
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
HI Martin,
Thanks for the input, unfortunately I'm running NGAI R55 HFA17
Cheers
Dillan
> Martin Hoz wrote:
>
> On 9/13/06, Steve Willis wrote:
> >
> > We currently run a pair of Nokia ip350's in a HA pair. We have a
> public
> > address for each of the firewalls plus one for the VIP. We have been
> > successfully running SecureClient terminating on the VIP address
> without any
> > problems. However we are about to migrate to a new ISP that wants us
> to
> > allocate private addresses to the firewalls and the VIP and they will
> route
> > from the newly allocated public address range to us.
> >
> > I am unable to see how SecureClient will work in this way. Our ISP
> assure me
> > that this will work using NAT (they tell me this works on their
> PIX's). I
> > managed to track down one document on the net that basically says that
> > Checkpoint supplied an unsupported workaround, but even this will not
> work
> > in a HA configuration, and I am certainly not interested in an
> unsupported
> > option. I have agreed to try and get this working on the proviso that
> if it
> > does not we will get public addressing for the firewalls, but so far I
> have
> > been unsuccessful. Does anyone know if this is possible, and if so,
> any
> > pointers?
> >
>
> If you have a recent version (NGX), you can use the Link Selection
> feature (under the
> VPN properties on your cluster object), and then say that your cluster
> is
> "Statically NATed" behind NAT.
>
> I don't know what unsupported workaround you are talking about, but if
> you are
> referring to adding a fake external interface, this should work if you
> enable the
> dynamic interface resolving mechanism. :-)
>
> HTH - Good luck!
>
> - Martín.
>
> --
> **** ¿Hoy qué haz hecho para ahorrar agua? - What have you done today
> to save water? - O que você têm feito hoje para conservar a água?
> ** Mi página web: http://gama.fime.uanl.mx/~mhoz/
> * "Somos consecuencia del pasado, y causa de nuestro futuro."
> ** My Linux - http://www.slackware.com == My BSD -
> http://www.openbsd.org
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
--===============0225594286==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards
--===============0225594286==--
