> Good Afternoon, I was wondering if anyone had comments on the below.
> I have a customer who has upgraded from version 4.1 to NG R55 running
> on Windows 2000 Server. By upgrading I mean building a new server with R55
> and importing the rulebase and configuration from before. Everything looks as
> though it is working fine, no real issues, there is automatic arp running and
> a couple of natted ip addresses for mail and web etc. Standard stuff.
> Their configuration is that they have is as follows;
> Internal Network - 192.168.22.0/24
> Other Internal Networks routed through 192.168.22.1
> Default route through 192.168.22.1
> Firewall Internal Interface 192.168.22.29
> One of the issues is that this customer does not know the full extent of
> their network (being quite a disparate company) which means he needs to route
> all traffic initially through 192.168.22.1. We have changed the default route
> on some of the key machines on the 192.168.22.0 network and added static
> routes on others, so it all works quite well. All users run through a proxy
> server for internet access.
> My issue comes when SecuRemote users come in via the Internet. They need to
> have assigned an IP address from IP Pool Nat. I created a network
> (192.168.22.194 - 222 (I think....)) which is a valid subnet, on the
> firewall, and assigned it to IP Pool Nat. I can ping those devices when they
> connect, so I know it is working OK.
> It has been a while since I did anything with IP Pool NAT, going back a
> couple of years and 4.1, but I am having issues with correct routing and, I
> think, ARP. On the default router (192.168.22.1) I added the route back to
> the ip addresses from the pool through 192.168.22.29. When the users connect,
> they can ping anything beyond the locally connected network (ie any network
> routed through 192.168.22.1) but nothing on the 192.168.22.0 network. I have
> a feeling it is to do with ARP and routing.
My plan was to turn off automatic arp, edit local.arp to incorporate the natted
ip addresses, and an entry for each of the IP Pool Nat addresses to the
internal interface of the firewall - and push the policy.
Any comments ?
Regards
Neil Kemp
neil.kemp AT businesssense.co DOT uk
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by 3DMail
#####################################################################################
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
