[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] SecuRemote Connection Problems to FW-1 with Public ExternalInterface
This is right. Checkpoint FW-1 uses external interface address information in encryption also. So unless you are planning to use Manual IPSec which is pain to maintain, better allocate real IP address to FW-1 external interface. Using private IP for FW-1 external interface is opposite to checkpoint's FW-1 brain and I won't go to that route at all. (assuming you have to think about future upgrades etc..). I tried what you are trying to do with FW-1 4.0SP4. But in my case I was NATing FW-1 external interface on Firewall itself. That worked for Securemote , but when I tried to use site-to-site encryption it simply refused, since it was using private IP address information in encryption, but remote firewall gets packet from NATed real address and the whole concept just failed. If you are not planning to use Encryption, only in that case I suggest using this, since in that case no external client would need to talk to FW directly, you packets would simply routed and Firewalled at FW-1 box. But if planning to use Encryption I suggest give up this idea, unless Checkpoint support this officially? Rajeev
Aaron Turner wrote: Uh yeah. Don't do NAT at the router. That's just going to cause you all -- ******************************************************************** Rajeev Kumar ([email protected]) http://www.rajeevnet.com ********************************************************************================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|