Hi Reinhard,
That's exactly what I am talking about. If i use the primary IP address for
my portal service (192.168.15.104) and the secondary IP addres for my
SNX-service
192.168.15.103) and they both used tcp port 443, does it mean that I need to
public
IP addresses to static NAT these to make it work? Is it possible with port
redirect
with just a single IP and both portal and snx service to use tcp port 443?
About the second point, how do I get it to work in application mode? can you
show
me how? Thanx.
TIA
Reinhard Stich <r.stich AT INTERNET-SECURITY DOT AT> wrote:
hi,
at the moment you need to separate the SNX-service and the portal-service.
default this is done using 2 ports on the same IP (443 and 444). what
you can do is to use 2 IPs and the same port on 2 different IPs.
cheers
reinhard
At 05:08 30.12.2005, you wrote:
>thanks to Reinhard, I can connect to my connectra, via port
>redirect, which sit on
> my dmz network behind a cisco IOS router running firewall feature
> set. I can connect
> to the device via SNX mode fine and everything is working great.
>
> However, as a beginner with this device, I have the following
> questions that I need help
> from gurus in this forum:
>
> 1) I would like to tunnel everything including snx via tcp port
> 443. Currently, SNX is
> using the default port of tcp 444. I can accomplish this using a
> secondary IP address
> on the primary NIC. My currently IP address of the connectra is
> 192.168.15.104 and
> I am thinking of using 192.168.15.103 for the secondary IP
> address of SNX. However,
> because this is my home network and I only have 1 public IP and
> that IP is being
> used by the Cisco IOS router/firewall, I can redirect port 443
> from the router to
> connectra primary IP but I don't think I can redirect another tcp
> 443 from the router
> to the secondary IP address of the connectra. Is there a working
> around for this
> with simply only 1 public IP? Does it mean that if I want to use
> tcp 443 for both
> portal and snx, it is not possible with port redirect? this is
> what I have on my
> cisco router configuration:
>
> ip nat inside source static tcp 192.168.15.104 443 interface
> FastEthernet0/0 443
>ip nat inside source static tcp 192.168.15.104 444 interface
>FastEthernet0/0 444
>
> As you can see I can NOT nat port 443 on the router to a
> different internal address.
> How can I get everything to work via tcp port 443?
>
> 2) when using SNX network mode, the snx extender client is
> installed on the local
> machine. Sometimes, it is not possible because the local does not have
> privilege to do so. The solution is to use Application mode (aka
> java download).
> When I create a network application, I specifically specify "this
> application CAN be
> used with SSL Network Extender Application Mode". However, after
> successfully
> authenticated to connectra, I can NOT access any resources via
> connectra. What
> other settings am I missing? Please help.
>
> TIA
> cisco4ng
>
>
>---------------------------------
>Yahoo! for Good - Make a difference this year.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
--
Reinhard Stich ASSIST R.Stich AT internet-security DOT at
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
