Firewall Wizards mailing list archives

Re: Terminating Secureclient on a private address range

From: stevewillis () optusnet com au
Date: Thu, 14 Sep 2006 11:44:34 +1000

HI Martin,



     Thanks for the input, unfortunately I'm running NGAI R55 HFA17


Cheers
Dillan

Martin Hoz <martinhoz () gmail com> wrote:

On 9/13/06, Steve Willis <stevewillis () optusnet com au> wrote:


We currently run a pair of Nokia ip350's in a HA pair. We have a

public

address for each of the firewalls plus one for the VIP. We have been
successfully running SecureClient terminating on the VIP address

without any

problems. However we are about to migrate to a new ISP that wants us

to

allocate private addresses to the firewalls and the VIP and they will

route

from the newly allocated public address range to us.

I am unable to see how SecureClient will work in this way. Our ISP

assure me

that this will work using NAT (they tell me this works on their

PIX's). I

managed to track down one document on the net that basically says that
Checkpoint supplied an unsupported workaround, but even this will not

work

in a HA configuration, and I am certainly not interested in an

unsupported

option. I have agreed to try and get this working on the proviso that

if it

does not we will get public addressing for the firewalls, but so far I

have

been unsuccessful. Does anyone know if this is possible, and if so,

any

pointers?


If you have a recent version (NGX), you can use the Link Selection
feature (under the
VPN properties on your cluster object), and then say that your cluster 
is
"Statically NATed" behind NAT.

I don't know what unsupported workaround you are talking about, but if 
you are
referring to adding a fake external interface, this should work if you
enable the
dynamic interface resolving mechanism. :-)

HTH - Good luck!

- Martín.

-- 
**** ¿Hoy qué haz hecho para ahorrar agua? - What have you done today
to save water? - O que você têm feito hoje para conservar a água?
** Mi página web: http://gama.fime.uanl.mx/~mhoz/
* "Somos consecuencia del pasado, y causa de nuestro futuro."
** My Linux - http://www.slackware.com == My BSD - 
http://www.openbsd.org
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Terminating Secureclient on a private address range Steve Willis (Sep 13)
- Re: Terminating Secureclient on a private address range Martin Hoz (Sep 13)
- Re: Terminating Secureclient on a private address range Chuck Swiger (Sep 13)
- <Possible follow-ups>
- Re: Terminating Secureclient on a private address range stevewillis (Sep 14)
  - Re: Terminating Secureclient on a private address range Martin Hoz (Sep 17)
- Re: Terminating Secureclient on a private address range stevewillis (Sep 19)