[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Disappearing NAT - Flakey NAT sufferers
Thanks for your responses. It seems that the problem spans both manualNAT and autoNAT techniques. It also spans platforms and is not just a Nokia problem. It spans service pack levels. We run NT and Nokia's and have seen it on both. I'd like to propose we share more information to find a common thread. I'll start that process now. Our NT Firewalls are running 512meg memory and are 4.1 SP3 Our Nokias are 330s, running 64meg of memory and are at 4.1 SP2 with flows. IPSO 3.3-FCS3 We run 10Dot networks across all sites. We use VPN's extensively to replace Frame Relay We have subnetted the 10Dot address space with a 23 bit subnet mask We allow anything outbound. We hide behind the FW outside interface Manual Nat rules in place to replace most autoNAT hides for inside nets. Left some autoNAT in place to see if their is a difference. -we have had re-occurrences We allow access thru the FW to static servers. Like with hiding, some auto replaced with Manual -no conclusion yet - but no problems reported in 2 weeks, MASSIVE admin headache to replace auth with manual here !!! Symptoms go like this sites report web-browsing getting slow - push fixes sites report 10Dots can't browse - push fixes sites report inbound access to statically mapped servers fails - sometimes a push fixes this, sometimes not, when it does not we have to define a new static entiry for anything at the site' , then push - or delete the failing entity, push, redefine and push again. In some cases none of this works, then we fwunload/fwstop/delee the state tables/fwstart/push - a major wrestling match. In my mind it can only be a checkpoint problem. If anyone is experiencing this problem and is going to the conference in Nashville - I suggest we collaborate and present a unified case. Unified voices are better that one-at-a-time complaints. This problem has ruined the credibility of our 20 site VPN Firewall implementation. The reputation was flawless until we upgraded - almost zero problems, but since then it had been an absolute mess. To make matters worse, I think the Checkpoint's response to the whole thing - in the way they support my VAR stinks. I think I have a good VAR, however, they ultimately have to depend on checkpoint for support. As far as I can see, their problem is my problem. Bottom line is that this is absurd and must be fixed. As far as I can see we have a textbook implementation of a private address space - an absolute necessity for us - which now is fraught with intermittent failures that makes the whole approach look questionable. Again, absurd, because this is what Checkpoint is selling, this is their flagship - the integrated VPN. George JanzNorth StoningtonFairfax [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|