[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Help with NAT and management console

To: [email protected]
Subject: Re: [FW-1] Help with NAT and management console
From: "<Aaron Reynolds>" <[email protected]>
Date: Mon, 2 Dec 2002 10:57:24 -0700
Reply-To: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Did you get an answer to this?  We have the same environment and had to put
the internal and the external address in the masters file (external first).
When a policy is pushed it NATs to the external but the actually
identification is with the internal.  There are some FAQs on phoneboy's
website.  I am still on 4.1, so I am not sure how NG is, but in 4.1 we also
had to do putkeys using the internal and external address.  Let me know how
things go.  I will be upgrading to NG shortly, and will be in the same boat.

-Aaron

-----Original Message-----
From: Robert Masse [mailto:[email protected]]
Sent: Wednesday, November 27, 2002 9:02 AM
To: [email protected]
Subject: [FW-1] Help with NAT and management console


Hi

The problem:  We have a management console on an internal network protected
by a firewall.  We configured automatic NAT so that it automatically is seen
from the outside for our future external firewalls.

When we try to create a remote firewall everything is OK, SIC works and the
firewall becomes trusted. When we try to install the policy on this remote
firewall, the firewall will try to use the INTERNAL IP address of the
management console, instead of the EXTERNAL IP address.  The firewall locks
up and we must go to console and do a fw unloadlocal.  I verified this by
the internal /var/log/messages log and by a packet dump from a host on the
same segment.

Automatic NAT seems to work no problem for the management console as I can
telnet to the management console's external IP address no problem and vice
versa.

The problem is only when we try to push the firewall policy to the remote
firewall.

Help!

Thanks

Rob

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Certificate Authority
Next by Date: Re: [FW-1] Help with NAT and management console
Prev by thread: [FW-1] I need some material on Desktop Security...
Next by thread: Re: [FW-1] Help with NAT and management console
Index(es):
- Date
- Thread