ok guys... Please help.
I just installed my first connectra, thanks to both Reinhard and Ray,
and place it in my dmz network with an IP of 192.168.15.104.
My dmz network has a network of 192.168.15.0/24. I setup the
connectra and everything appears to be working.
The problem is that my network only has one static public IP address,
129.174.1.8, and this public IP is being used the my cisco 2621 router.
This cisco router has 3 interfaces, public, internal and dmz. My
internal network is 192.168.1.0/24.
I would like to allow users from the Internet to access my internal
network via the connectra with ssl network extender. Because
I only have 1 public IP address, I have to come up with port-redirect:
interface FastEthernet0/0
description External Network
ip address 129.174.1.8
ip nat outside
interface FastEthernet0/1
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface FastEthernet1/0
description DMZ Network
ip address 192.168.15.1 255.255.255.0
ip nat inside
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.15.104 4433 interface FastEthernet0/0
4433
ip nat inside source static tcp 192.168.15.104 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.15.104 444 interface FastEthernet0/0 444
Well... Users on the Internet can connect to the connectra just fine, but
that's
pretty much it. I got an error telling me that "can not connect via ssl network
extender". Looking at the cisco log message and acl, I see hits on https but
NOT
SNX or tcp port 444. By the way, I can remote manage the connectra from across
the Internet as well.
My question is this: when setting up connectra, must I have to static NAT
the
connectra to a public IP by itself or I can get away with doing port-redirect
like I do with my cisco device? Please help....
my email is cisco4ng at yahoo dot com
TIA
---------------------------------
Yahoo! for Good - Make a difference this year.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
