[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] logical server how to
I'm actually going through this setup right now... What are you using as a platform? I'm on Nokia IPSO, and Nokia support told me to disable automatic ARP as IPSO has issues with it when its setup in Checkpoint. When auto-ARP is off, you'll need to setup proxy ARP so the FW is able to respond to the IP and do what it needs to. ICMP isn't going to work when logicals are setup in "other" mode. Found that out the hard way, and Nokia verified it. Don't know the reason behind it... ICMP's to my logical return "Destination unreachable" but protocols like HTTP seem to flow fine. They are stopping at ingress-PRE on the inspection side. Now on the NAT side, not sure what the proper setup is there. Both the logical and real IP's in my setup have public IP's. I've noticed through tcpdumps that after the initial request and FW proxies to the real IP, that all subsequent connections go back-forth through the real IP's, so the FW isn't sitting in the middle of subsequent connections. You NAT rules may need to change with that information. I have it working now with HTTP and HTTPS. We're in the process of testing it with server persistence, and so far its working OK. It is an extra license, so I'm running in eval mode right now until its verified in which case then we'll go the purchase route. -JTM > -----Original Message----- > From: Covington, Chris [mailto:[email protected]] > Sent: Thursday, July 17, 2003 5:39 PM > To: [email protected] > Subject: [FW-1] logical server how to > > > Hi all, > > In the year or more I've been on this list I've never heard > anyone discuss logical servers. Anyway, I'm interested in > creating a logical SMTP server with my Secureplatform AI > machine. I tried creating the logical server of type > "Other," assigning the SMTP group (none of the machines > inside this group were NATed - they all have private IPs), > and giving it an external (public) IP address. I then > created a Security rule to allow SMTP to the Logical Server. > However, it seems I can't ping or connect to the logical > server IP address in any way, even internally. > > FWIW, I have bi-directional NAT, Translate destination on > client side and Automatic ARP configuration enabled. > > What is the proper way to use a logical server? Does each > member of the logical server group need an external address as well? > > Chris > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.htm> l > > ================================================= > If you > have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|