Hello Cisco4ng. I was wondering: can you edit each server's hosts file, so that the other server's name gets resolved to the IP address that you want?
That way, DNS will not even be used when one wants to access the other. -RoNNY On 1/15/06, cisco4ng <[EMAIL PROTECTED]> wrote: > > Hi Gurus, > > Please advise with the following scenario: > > Checkpoint Secureplatform NG with AI R55w and the lastest HFA_04. > This firewall has 3 interfaces, Internet, Internal and Dmz. > > I have a host in my Internal network with an IP address of 192.168.1.10. > This host is static NAT to the Internet with an IP address > of 129.174.1.8. > > I have a host on the Dmz network work with an IP address > of 192.168.2.50. This host is static NAT to the Internet with an > IP address of 129.174.1.13. > > The DNS server is being hosted by my ISP. The host 129.174.1.8 has > a Fully Qualified Domain Name (FQDN) of db1.newco.com and the host > 129.174.1.13 has an FQDN of crm.newco.com. > > Back to my network, the host 192.168.1.10 and the host 192.168.2.50 > communicates with each other with the real address and everything is > working fine via IP adress. > > Here is my problem: > The customer just recently migrated from a Cisco Pix to Checkpoint > Firewall. The customer has a propriatery application installed on > both host 192.168.1.10 and host 192.168.2.50. This application > communicates between host 192.168.1.10 and host 192.168.2.50 via > Fully Qualified Domain Name (FQDN). It means that the application is > embedded with the FQDN of db.newco.com and crm.newco.com in the > application itself. To make the matter worse, it looks up the name > via DNS. As you can see, it causes the problem because two hosts > behind the firewall trying communicate with each other via public > addresses. > > With Cisco pix firewall, there is a feature called DNS doctoring. > For example, when host 192.168.1.10 communicates with crm.newco.com, > it goes to the DNS server, which sits outside the firewall, and get > a resolution of 129.174.1.13. Before, the reply comes back to host > 192.168.1.10, the Pix firewall modifies the dns query and replaces > 129.174.1.13 with 192.168.2.50. > > Is there something similar that can be done with Checkpoint as well? > > Right now, the workaround for me is to put up an Internal DNS server > and have host 192.168.1.10 and host 192.168.2.50 use that Internal > DNS Server. But the customer wants to use the Internal DNS server > for some other functions. > > Please help. TIA > > cisco4ng > > > --------------------------------- > Yahoo! Photos > Got holiday prints? See all the ways to get quality prints in your hands > ASAP. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
