Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] RE: Management Console using non-routable IP.

To: '"Schönfelder, Sven"' <[email protected]>
Subject: RE: [FW1] RE: Management Console using non-routable IP.
From: "Jarmoc, Jeff" <[email protected]>
Date: Wed, 11 Oct 2000 09:45:20 -0500
Cc: "'[email protected]'" <[email protected]>
Sender: [email protected]

Thanks a ton, that did the trick!

-----Original Message-----
From: "Schönfelder, Sven" [mailto:[email protected]]
Sent: Wednesday, October 11, 2000 3:49 AM
To: Jarmoc, Jeff
Cc: '[email protected]'
Subject: AW: [FW1] RE: Management Console using non-routable IP.



Hello,
we have almost the same configuration working with FW-1 on Windows NT.
Here is the solution I have got from Checkpoint:


> The customer will need to do a putkey from the firewall module to each of
the management
> console ips and this can be done with one command, fw putkey <legal
> address> <illegal address> and then he needs to edit the control.map
> file on the remote firewall module by copying the MASTERS line above
> the original MASTERS line and insert the illegal address of the management
> console in place of the word MASTERS, for example:
>
> original:
>
> MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1
> CLIENT  :load,db_download,fetch,log/fwa1   opsec/fwn1 */none
> *       :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny
> opsec/fwn1 */fwa1
>
> changed:
>
> x.x.x.x :stat,getkey,gettopo/none opsec/fwn1 */fwa1
> MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1
> CLIENT  :load,db_download,fetch,log/fwa1   opsec/fwn1 */none
> *       :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny
> opsec/fwn1 */fwa1
>
> x.x.x.x is the untranslated address of the Management console.
>
> Make sure the masters file on the remote firewall module contains the
> legal and illegal address.  This needs to be done with the management
> and firewall module stopped.  Once putkeys and contol.map file have
> been edited, restart the mgt and then the firewall module.

I hope it helps.
Sven

-----Ursprüngliche Nachricht-----
Von: Jarmoc, Jeff [mailto:[email protected]]
Gesendet: Dienstag, 10. Oktober 2000 22:54
An: 'Wayne Graves'
Cc: '[email protected]'
Betreff: RE: [FW1] RE: Management Console using non-routable IP.



It seems like you've got a pretty good hold on my problem.  I'm loading my
second firewall, which is on the other side of my first firewall.  Let me
diagram it here..

MGMT---FW1---INTERNET---FW2

The tricky part is that the MGMT console has only an RFC 1918 IP address.
I've got FW2 configured with the NATd IP as it's master, and the putkey's
seem to be setup correctly.  I can do an unload and fetch on FW2 and it gets
it's policy, but I can't push from MGMT.  My thinking is that when pushing
somehow the NAT rule is messing things up.  I've tried putting a second NAT
rule on FW2 to change MGMT's IP back to the 1918 address, to no avail.  I
have at times had FW2 showing up green in status viewer, but I lose FW1
then.  I can't change the names, because these need to conform to our
standards.  When you say to load 'one at a time' what do you mean exactly?  

Again, your help is greatly appreciated.  I'm really at the end of my rope.

-----Original Message-----
From: Wayne Graves [mailto:[email protected]]
Sent: Tuesday, October 10, 2000 3:14 PM
To: Jarmoc, Jeff
Subject: RE: [FW1] RE: Management Console using non-routable IP.


 Oh, one other thing, make sure you have solid routes between the firewalls
and
the management station, if your taking a round about route and you
disconnect
from the firewall during a reload you may loose something. Usually this only
happens
when your trying to load two firewalls and the second one is connected via
the first, the operation of loading will cause the first to go away for a
few
seconds and can interfere with the load of the second firewall. If you can't
help it try loading one at a time and see if it works, if it does, try
changing
the name of the second one to something down the alphabet so it shows up
first
and then loads first. This worked for me.
                                   Wayne

-----Original Message-----
From: Jarmoc, Jeff [mailto:[email protected]]
Sent: Tuesday, October 10, 2000 12:24 PM
To: '[email protected]'
Subject: [FW1] RE: Management Console using non-routable IP.



As an update, I've determined that I can pull a policy by telnetting into
the 330 and doing an 'fw unload localhost' followed by 'fw fetch 73.1.1.1'
but I cannot push a policy using the GUI tools.  Also, during the time
between the unload and the pull, the firewall shows up as 'untrusted' in
Status Viewer.  Any additional insight would be appreciated.

-----Original Message-----
From: Jarmoc, Jeff 
Sent: Tuesday, October 10, 2000 9:27 AM
To: [email protected]
Subject: Management Console using non-routable IP.


This situation has cause me a lot of trouble.  Here's how everything is
currently configured;

Management console - 
Running on NT 4.0, using a 1918 non routable IP. - 192.168.1.1.  The 650 is
handling NAT for this device, giving it the virtual IP of 73.1.1.1

Nokia 650 - 
multiple interfaces, one is on the same 1918 network as the management
workstation - 192.168.1.1, another is an internet IP - 73.1.1.2

Nokia 330 - situated in a different office, has a 1918 ip on a different
network than the above two, 192.168.2.1, and an internet interface 62.1.1.1

My problem is that I can't seem to get the management console to control
both firewalls at the same time.  I've tried various putkeys and can control
either firewall by doing this, but not both at once.  Specifically, here's
what I've tried;

On management console
putkey -n 192.168.1.1 -p password 73.1.1.2 192.168.1.2
putkey -n 73.1.1.1 -p password 62.1.1.1

on 650
putkey -n 192.168.1.2 -p password 192.168.1.1

on 330
putkey -n 62.1.1.1 -p password 73.1.1.1

Does anyone have any ideas/suggestions?  Thanks in advance.

Jeff Jarmoc - CCNA, MCSE
Network Analyst - Grubb & Ellismailto:[email protected]



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Followup: Masters Thesis Survey
Next by Date: Re: [FW1] Blackhat's disclosure: and so what ?!
Previous by thread: RE: [FW1] RE: Management Console using non-routable IP.
Next by thread: RE: [FW1] Microsoft has a new stateful inspection firewall produc t?
Index(es):
- Date
- Thread