What about changing the host file on the Checkpoint device? I answer this
with a question because my first response was adjusting the host file on
the other 2 servers. Apparently that was already thought of and shot down.
Kevin
cisco4ng
<cisco4ng@YAH
OO.COM> To
Sent by: FW-1-MAILINGLIST AT AMADEUS.US DOT
CHECKPO
Mailing list INT.COM
for cc
discussion of
Firewall-1 Subject
<FW-1-MAILING Re: [FW-1] Gurus in this list.
LIST@AMADEUS. Please help
US.CHECKPOINT
.COM>
01/15/2006
02:22 PM
Please
respond to
Mailing list
for
discussion of
Firewall-1
<FW-1-MAILING
LIST@AMADEUS.
US.CHECKPOINT
.COM>
I wish that it could be that easy. The problem is that this stupid
application will
always use DNS instead of hosts file. Therefore, changing the hosts file
will not do
me any good.
I contacted the vendor and they say it will take about 2 week to come up
with a fix
for this.
but aside from that, I would like to know if it is possible to do this
with Checkpoint
as well because I want to learn more about it, for my own good.
cisco4ng
Ronny Nussbaum <ronnynussbaum AT GMAIL DOT COM> wrote:
Hello Cisco4ng.
I was wondering: can you edit each server's hosts file, so that the other
server's name gets resolved to the IP address that you want?
That way, DNS will not even be used when one wants to access the other.
-RoNNY
On 1/15/06, cisco4ng wrote:
>
> Hi Gurus,
>
> Please advise with the following scenario:
>
> Checkpoint Secureplatform NG with AI R55w and the lastest HFA_04.
> This firewall has 3 interfaces, Internet, Internal and Dmz.
>
> I have a host in my Internal network with an IP address of 192.168.1.10.
> This host is static NAT to the Internet with an IP address
> of 129.174.1.8.
>
> I have a host on the Dmz network work with an IP address
> of 192.168.2.50. This host is static NAT to the Internet with an
> IP address of 129.174.1.13.
>
> The DNS server is being hosted by my ISP. The host 129.174.1.8 has
> a Fully Qualified Domain Name (FQDN) of db1.newco.com and the host
> 129.174.1.13 has an FQDN of crm.newco.com.
>
> Back to my network, the host 192.168.1.10 and the host 192.168.2.50
> communicates with each other with the real address and everything is
> working fine via IP adress.
>
> Here is my problem:
> The customer just recently migrated from a Cisco Pix to Checkpoint
> Firewall. The customer has a propriatery application installed on
> both host 192.168.1.10 and host 192.168.2.50. This application
> communicates between host 192.168.1.10 and host 192.168.2.50 via
> Fully Qualified Domain Name (FQDN). It means that the application is
> embedded with the FQDN of db.newco.com and crm.newco.com in the
> application itself. To make the matter worse, it looks up the name
> via DNS. As you can see, it causes the problem because two hosts
> behind the firewall trying communicate with each other via public
> addresses.
>
> With Cisco pix firewall, there is a feature called DNS doctoring.
> For example, when host 192.168.1.10 communicates with crm.newco.com,
> it goes to the DNS server, which sits outside the firewall, and get
> a resolution of 129.174.1.13. Before, the reply comes back to host
> 192.168.1.10, the Pix firewall modifies the dns query and replaces
> 129.174.1.13 with 192.168.2.50.
>
> Is there something similar that can be done with Checkpoint as well?
>
> Right now, the workaround for me is to put up an Internal DNS server
> and have host 192.168.1.10 and host 192.168.2.50 use that Internal
> DNS Server. But the customer wants to use the Internal DNS server
> for some other functions.
>
> Please help. TIA
>
> cisco4ng
>
>
> ---------------------------------
> Yahoo! Photos
> Got holiday prints? See all the ways to get quality prints in your hands
> ASAP.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
---------------------------------
Yahoo! Photos
Ring in the New Year with Photo Calendars. Add photos, events, holidays,
whatever.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
