[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] too many internal hosts detected x subinterface
Hi, I´m getting this message from Firewall-1. My license is for 50 nodes. I´m sure that I have less than 50 nodes in my internal network. My Firewall-1 runs on a Solaris machine, with only two network adapters. My external.if is configured with the name of the external interface (elxl0). In /var/adm/messages I´m getting hundreds of EXTERNAL IP´s. It seems like FW-1 is treating they as internal... Well, it seems like the problem is the external subinterface I have configured. It is located in my external network, and it´s not in the external.if. Ifconfig -a shows: (external) elxl0: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500 inet x.x.x.x netmask ffffffc0 broadcast x.x.x.x ether 0:10:5a:cc:cf:1d (subinterface) elxl0:1: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500 inet y.y.y.y netmask ffffff00 broadcast y.y.y.y (internal) elxl1: flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500 inet z.z.z.z netmask ffffff00 broadcast z.z.z.z ether 0:10:5a:aa:24:cb The subinterface´s IP address belongs to a different subnet than primary external interface. (I´m doing this because I have a static NAT for a internal server, and its real IP address (published to internet) belongs to a network (class C) other than the external primary interface. The NAT only worked after I configured the subinterface, with IP address in the same IP network as the "NATed" server.) I think that Firewall-1 is treating all IP´s that reach the subinterface (located physically in the external network) as internal addresses, and so my license is not sufficient. Is it right? Or could it be something else? If I´m right, I´ll have to try another solution, without the subinterface? Phoneboy´s says: "The external interface is often the interface facing your Internet router. If you have more than one "external" interface, you should be using an unlimited node license" This is bad.......... :( TIA, Oswaldo Gomes ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|