| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] logical server how to
- To: [email protected]
- Subject: Re: [FW-1] logical server how to
- From: "Morhous, John" <[email protected]>
- Date: Fri, 18 Jul 2003 10:24:35 -0400
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcNMq98iOcXsF6vxQwyB4R4N9bS3ZgAi1/Aw
- Thread-topic: [FW-1] logical server how to
I'm actually going through this setup right now...
What are you using as a platform? I'm on Nokia IPSO, and Nokia support
told me to disable automatic ARP as IPSO has issues with it when its
setup in Checkpoint. When auto-ARP is off, you'll need to setup proxy
ARP so the FW is able to respond to the IP and do what it needs to.
ICMP isn't going to work when logicals are setup in "other" mode. Found
that out the hard way, and Nokia verified it. Don't know the reason
behind it... ICMP's to my logical return "Destination unreachable" but
protocols like HTTP seem to flow fine. They are stopping at ingress-PRE
on the inspection side.
Now on the NAT side, not sure what the proper setup is there. Both the
logical and real IP's in my setup have public IP's. I've noticed through
tcpdumps that after the initial request and FW proxies to the real IP,
that all subsequent connections go back-forth through the real IP's, so
the FW isn't sitting in the middle of subsequent connections. You NAT
rules may need to change with that information.
I have it working now with HTTP and HTTPS. We're in the process of
testing it with server persistence, and so far its working OK. It is an
extra license, so I'm running in eval mode right now until its verified
in which case then we'll go the purchase route.
-JTM
> -----Original Message-----
> From: Covington, Chris [mailto:[email protected]]
> Sent: Thursday, July 17, 2003 5:39 PM
> To: [email protected]
> Subject: [FW-1] logical server how to
>
>
> Hi all,
>
> In the year or more I've been on this list I've never heard
> anyone discuss logical servers. Anyway, I'm interested in
> creating a logical SMTP server with my Secureplatform AI
> machine. I tried creating the logical server of type
> "Other," assigning the SMTP group (none of the machines
> inside this group were NATed - they all have private IPs),
> and giving it an external (public) IP address. I then
> created a Security rule to allow SMTP to the Logical Server.
> However, it seems I can't ping or connect to the logical
> server IP address in any way, even internally.
>
> FWIW, I have bi-directional NAT, Translate destination on
> client side and Automatic ARP configuration enabled.
>
> What is the proper way to use a logical server? Does each
> member of the logical server group need an external address as well?
>
> Chris
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.htm> l
>
> =================================================
> If you
> have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
