hi,
you can do port redirection.
on the config-page of the connectra where you configure the SNX you
can define the official IP-address of the connectra-box, this IP is
transfered to the SNX-client and then the client can connect home.
cheers
reinhard
At 14:27 29.12.2005, you wrote:
ok guys... Please help.
I just installed my first connectra, thanks to both Reinhard and Ray,
and place it in my dmz network with an IP of 192.168.15.104.
My dmz network has a network of 192.168.15.0/24. I setup the
connectra and everything appears to be working.
The problem is that my network only has one static public IP address,
129.174.1.8, and this public IP is being used the my cisco 2621 router.
This cisco router has 3 interfaces, public, internal and dmz. My
internal network is 192.168.1.0/24.
I would like to allow users from the Internet to access my internal
network via the connectra with ssl network extender. Because
I only have 1 public IP address, I have to come up with port-redirect:
interface FastEthernet0/0
description External Network
ip address 129.174.1.8
ip nat outside
interface FastEthernet0/1
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface FastEthernet1/0
description DMZ Network
ip address 192.168.15.1 255.255.255.0
ip nat inside
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.15.0 0.0.0.255 any
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.15.104 4433 interface
FastEthernet0/0 4433
ip nat inside source static tcp 192.168.15.104 443 interface
FastEthernet0/0 443
ip nat inside source static tcp 192.168.15.104 444 interface
FastEthernet0/0 444
Well... Users on the Internet can connect to the connectra just
fine, but that's
pretty much it. I got an error telling me that "can not connect via
ssl network
extender". Looking at the cisco log message and acl, I see hits on
https but NOT
SNX or tcp port 444. By the way, I can remote manage the connectra
from across
the Internet as well.
My question is this: when setting up connectra, must I have to
static NAT the
connectra to a public IP by itself or I can get away with doing port-redirect
like I do with my cisco device? Please help....
my email is cisco4ng at yahoo dot com
TIA
---------------------------------
Yahoo! for Good - Make a difference this year.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
--
Reinhard Stich ASSIST R.Stich AT internet-security DOT at
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
