[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] RE: Management Console using non-routable IP.
Thanks a ton, that did the trick! -----Original Message----- From: "Schönfelder, Sven" [mailto:[email protected]] Sent: Wednesday, October 11, 2000 3:49 AM To: Jarmoc, Jeff Cc: '[email protected]' Subject: AW: [FW1] RE: Management Console using non-routable IP. Hello, we have almost the same configuration working with FW-1 on Windows NT. Here is the solution I have got from Checkpoint: > The customer will need to do a putkey from the firewall module to each of the management > console ips and this can be done with one command, fw putkey <legal > address> <illegal address> and then he needs to edit the control.map > file on the remote firewall module by copying the MASTERS line above > the original MASTERS line and insert the illegal address of the management > console in place of the word MASTERS, for example: > > original: > > MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1 > CLIENT :load,db_download,fetch,log/fwa1 opsec/fwn1 */none > * :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny > opsec/fwn1 */fwa1 > > changed: > > x.x.x.x :stat,getkey,gettopo/none opsec/fwn1 */fwa1 > MASTERS :stat,getkey,gettopo/none opsec/fwn1 */fwa1 > CLIENT :load,db_download,fetch,log/fwa1 opsec/fwn1 */none > * :stat,getkey,gettopo/none unload,ioctl,load,db_download/deny > opsec/fwn1 */fwa1 > > x.x.x.x is the untranslated address of the Management console. > > Make sure the masters file on the remote firewall module contains the > legal and illegal address. This needs to be done with the management > and firewall module stopped. Once putkeys and contol.map file have > been edited, restart the mgt and then the firewall module. I hope it helps. Sven -----Ursprüngliche Nachricht----- Von: Jarmoc, Jeff [mailto:[email protected]] Gesendet: Dienstag, 10. Oktober 2000 22:54 An: 'Wayne Graves' Cc: '[email protected]' Betreff: RE: [FW1] RE: Management Console using non-routable IP. It seems like you've got a pretty good hold on my problem. I'm loading my second firewall, which is on the other side of my first firewall. Let me diagram it here.. MGMT---FW1---INTERNET---FW2 The tricky part is that the MGMT console has only an RFC 1918 IP address. I've got FW2 configured with the NATd IP as it's master, and the putkey's seem to be setup correctly. I can do an unload and fetch on FW2 and it gets it's policy, but I can't push from MGMT. My thinking is that when pushing somehow the NAT rule is messing things up. I've tried putting a second NAT rule on FW2 to change MGMT's IP back to the 1918 address, to no avail. I have at times had FW2 showing up green in status viewer, but I lose FW1 then. I can't change the names, because these need to conform to our standards. When you say to load 'one at a time' what do you mean exactly? Again, your help is greatly appreciated. I'm really at the end of my rope. -----Original Message----- From: Wayne Graves [mailto:[email protected]] Sent: Tuesday, October 10, 2000 3:14 PM To: Jarmoc, Jeff Subject: RE: [FW1] RE: Management Console using non-routable IP. Oh, one other thing, make sure you have solid routes between the firewalls and the management station, if your taking a round about route and you disconnect from the firewall during a reload you may loose something. Usually this only happens when your trying to load two firewalls and the second one is connected via the first, the operation of loading will cause the first to go away for a few seconds and can interfere with the load of the second firewall. If you can't help it try loading one at a time and see if it works, if it does, try changing the name of the second one to something down the alphabet so it shows up first and then loads first. This worked for me. Wayne -----Original Message----- From: Jarmoc, Jeff [mailto:[email protected]] Sent: Tuesday, October 10, 2000 12:24 PM To: '[email protected]' Subject: [FW1] RE: Management Console using non-routable IP. As an update, I've determined that I can pull a policy by telnetting into the 330 and doing an 'fw unload localhost' followed by 'fw fetch 73.1.1.1' but I cannot push a policy using the GUI tools. Also, during the time between the unload and the pull, the firewall shows up as 'untrusted' in Status Viewer. Any additional insight would be appreciated. -----Original Message----- From: Jarmoc, Jeff Sent: Tuesday, October 10, 2000 9:27 AM To: [email protected] Subject: Management Console using non-routable IP. This situation has cause me a lot of trouble. Here's how everything is currently configured; Management console - Running on NT 4.0, using a 1918 non routable IP. - 192.168.1.1. The 650 is handling NAT for this device, giving it the virtual IP of 73.1.1.1 Nokia 650 - multiple interfaces, one is on the same 1918 network as the management workstation - 192.168.1.1, another is an internet IP - 73.1.1.2 Nokia 330 - situated in a different office, has a 1918 ip on a different network than the above two, 192.168.2.1, and an internet interface 62.1.1.1 My problem is that I can't seem to get the management console to control both firewalls at the same time. I've tried various putkeys and can control either firewall by doing this, but not both at once. Specifically, here's what I've tried; On management console putkey -n 192.168.1.1 -p password 73.1.1.2 192.168.1.2 putkey -n 73.1.1.1 -p password 62.1.1.1 on 650 putkey -n 192.168.1.2 -p password 192.168.1.1 on 330 putkey -n 62.1.1.1 -p password 73.1.1.1 Does anyone have any ideas/suggestions? Thanks in advance. Jeff Jarmoc - CCNA, MCSE Network Analyst - Grubb & Ellismailto:[email protected] ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|