Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: Terminating Secureclient on a private address range
From: stevewillis () optusnet com au
Date: Thu, 14 Sep 2006 11:44:34 +1000

HI Martin,



     Thanks for the input, unfortunately I'm running NGAI R55 HFA17


Cheers
Dillan


Martin Hoz <martinhoz () gmail com> wrote:

On 9/13/06, Steve Willis <stevewillis () optusnet com au> wrote:

We currently run a pair of Nokia ip350's in a HA pair. We have a 
public
address for each of the firewalls plus one for the VIP. We have been
successfully running SecureClient terminating on the VIP address 
without any
problems. However we are about to migrate to a new ISP that wants us 
to
allocate private addresses to the firewalls and the VIP and they will 
route
from the newly allocated public address range to us.

I am unable to see how SecureClient will work in this way. Our ISP 
assure me
that this will work using NAT (they tell me this works on their 
PIX's). I
managed to track down one document on the net that basically says that
Checkpoint supplied an unsupported workaround, but even this will not 
work
in a HA configuration, and I am certainly not interested in an 
unsupported
option. I have agreed to try and get this working on the proviso that 
if it
does not we will get public addressing for the firewalls, but so far I 
have
been unsuccessful. Does anyone know if this is possible, and if so, 
any
pointers?


If you have a recent version (NGX), you can use the Link Selection
feature (under the
VPN properties on your cluster object), and then say that your cluster 
is
"Statically NATed" behind NAT.

I don't know what unsupported workaround you are talking about, but if 
you are
referring to adding a fake external interface, this should work if you
enable the
dynamic interface resolving mechanism. :-)

HTH - Good luck!

- Martín.

-- 
**** ¿Hoy qué haz hecho para ahorrar agua? - What have you done today
to save water? - O que você têm feito hoje para conservar a água?
** Mi página web: http://gama.fime.uanl.mx/~mhoz/
* "Somos consecuencia del pasado, y causa de nuestro futuro."
** My Linux - http://www.slackware.com == My BSD - 
http://www.openbsd.org
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault