[fw-wiz] Terminating Secureclient on a private address range

Martin Hoz martinhoz at gmail.com
Wed Sep 13 10:55:13 EDT 2006


On 9/13/06, Steve Willis <stevewillis at optusnet.com.au> wrote:
>
> We currently run a pair of Nokia ip350's in a HA pair. We have a public
> address for each of the firewalls plus one for the VIP. We have been
> successfully running SecureClient terminating on the VIP address without any
> problems. However we are about to migrate to a new ISP that wants us to
> allocate private addresses to the firewalls and the VIP and they will route
> from the newly allocated public address range to us.
>
> I am unable to see how SecureClient will work in this way. Our ISP assure me
> that this will work using NAT (they tell me this works on their PIX's). I
> managed to track down one document on the net that basically says that
> Checkpoint supplied an unsupported workaround, but even this will not work
> in a HA configuration, and I am certainly not interested in an unsupported
> option. I have agreed to try and get this working on the proviso that if it
> does not we will get public addressing for the firewalls, but so far I have
> been unsuccessful. Does anyone know if this is possible, and if so, any
> pointers?
>

If you have a recent version (NGX), you can use the Link Selection
feature (under the
VPN properties on your cluster object), and then say that your cluster is
"Statically NATed" behind NAT.

I don't know what unsupported workaround you are talking about, but if you are
referring to adding a fake external interface, this should work if you
enable the
dynamic interface resolving mechanism. :-)

HTH - Good luck!

- Martín.

-- 
**** ¿Hoy qué haz hecho para ahorrar agua? - What have you done today
to save water? - O que você têm feito hoje para conservar a água?
** Mi página web: http://gama.fime.uanl.mx/~mhoz/
* "Somos consecuencia del pasado, y causa de nuestro futuro."
** My Linux - http://www.slackware.com == My BSD - http://www.openbsd.org


More information about the firewall-wizards mailing list