Just to add a note here:
==> In any case Firewall external interface should be valid/routable IP address, as
that
is used in encryption. Also if this is a remote Firewall, and you are managing from
management server situated in different geographic location, you need to access this
remote Firewall by any means (so either use Tunnels between Routers or something else).
--> You may try giving private address (10.10.x.x, 192.168.0.x ..etc) to external
interface , then applying static NAT(on the Firewall box itself ) for external
private
address -> Xlated to -> Some valid address of your network (may be from internal
network).
So any packet leaving from Firewall(originated from Firewall only, (eg: FW policy
traffic,
Encryption traffic etc..) not routed packets) will get NATed and get valid source
address.
---Problems Problems ....
If you do the last steps following problems are certain:
(a) I tried above and securemote encryption run without any problem, but when I tried
Site to Site encryption it failed miserably.
(b)Encryption other than Manual IPSEC won't work at all for Site to Site encryption.
Now
Who uses Manual IPSEC in production ?? Huh! nobody.
(c)If you are doing the same for remote Firewall (Giving private IP address to external
interface and then applying NAT on the box itself to Xlate into valid IP address,
(required to obtain policy etc...) then remote firewall must be running with NAT rule
applied already. This is a problem. In case you delete/disable NAT rule for one test
and
you are dead, you can't push the policy back again on remote FW.
(d)Checkpoint gods, do not recommend this at all(as far as I know upto FW-1 ver 4.0).
So
even if you apply your tricky head to make it work, next time you try to
upgrade(hotfix,
SP or new version). It is very likely you may brake things apart. So avoid that if you
can and REMEMBER ONE SENTENCE ATLEAST while installing CP "EXTERNAL INTERFACE ADDRESS
MUST BE VALID IP ADDRESS" for all practical purpose.
Rajeev
[EMAIL PROTECTED] wrote:
>
> Yes, it's possible, but I'm wondering what you are trying to do. I've seen
> many arguments on whether or not this should be done. You can hide behind
> any external address you own. What simplifies the external fw nic, is not
> having to deal with arp issues. Remember- when you hide behind an address
> that is not in use, you still have to proxy arp for it, so the downstream
> router can find you.
>
> -tp
>
> -----Original Message-----
> From: Larry Haff [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 08, 2000 7:44 PM
> To: [EMAIL PROTECTED]
> Subject: [FW1] Hide Internal Network NOT Using the FW's External IP
>
> Hi All,
>
> In trying to have a FW be as invisible as possible, I have often wondered if
> it would be desirable, or even possible, to hide the portion of a LAN that
> is not using NAT behind an IP address other than the one assigned to the
> external interface of the FW. Has anyone tried this? If yes, can you offer
> guidance?
>
> Larry Haff
> Network and Technical Administrator
> Institute of Computer Technology
> Email: [EMAIL PROTECTED]
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
--
#########################################################################
(Titanic creators used Linux to simulate the sinking of the great ship)
#########################################################################
Rajeev Kumar ([EMAIL PROTECTED])
Fluent Inc. 10, Cavendish Court, Lebanon NH-03766
-------------------------------------------------------------------------
Phone :: (603)-643-2600 x 349 Fax :: (603)-643-3967
Web:: http://www.fluent.com
#########################################################################
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
