Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] too many internal hosts detected x subinterface

To: "'[email protected]'" <[email protected]>
Subject: [FW1] too many internal hosts detected x subinterface
From: Oswaldo Gomes <[email protected]>
Date: Wed, 14 Feb 2001 12:36:55 -0300
Sender: [email protected]

Hi,

	I´m getting this message from Firewall-1. My license is for 50
nodes. I´m sure that I have less than 50 nodes in my internal network.

	My Firewall-1 runs on a Solaris machine, with only two network
adapters. My external.if is configured with the name of the external
interface (elxl0).

	In /var/adm/messages I´m getting hundreds of EXTERNAL IP´s. It seems
like FW-1 is treating they as internal...

	Well, it seems like the problem is the external subinterface I have
configured. It is located in my external network, and it´s not in the
external.if.

	 Ifconfig -a shows:

(external)		elxl0:
flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        		inet x.x.x.x netmask ffffffc0 broadcast x.x.x.x
        		ether 0:10:5a:cc:cf:1d
(subinterface)	elxl0:1:
flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        		inet y.y.y.y netmask ffffff00 broadcast y.y.y.y
(internal) 		elxl1:
flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
        		inet z.z.z.z netmask ffffff00 broadcast z.z.z.z
        		ether 0:10:5a:aa:24:cb 

	The subinterface´s IP address belongs to a different subnet than
primary external interface. 
(I´m doing this because I have a static NAT for a internal server, and its
real IP address (published to internet) belongs to a network (class C) other
than the external primary interface. The NAT only worked after I configured
the subinterface, with IP address in the same IP network as the "NATed"
server.)

	I think that Firewall-1 is treating all IP´s that reach the
subinterface (located physically in the external network) as internal
addresses, and so my license is not sufficient.

	Is it right? Or could it be something else?

	If I´m right, I´ll have to try another solution, without the
subinterface? 
	
	Phoneboy´s says: "The external interface is often the interface
facing your Internet router. If you have more than one "external" interface,
you should be using an unlimited node license"

	This is bad.......... :(

 TIA,

 Oswaldo Gomes

	


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] IPSec in Transport mode or in Tunnel Mode
Next by Date: [FW1]Securemote stops working after SP3
Previous by thread: [FW1] License management station on virtual address
Next by thread: [FW1]Securemote stops working after SP3
Index(es):
- Date
- Thread