Jason-
Your problem is the managment station not being accessible from the
Internet. Try configuring NAT on your managment station's object for a
static map from an externally routable IP address to the 10 net address on
your management box. For example, if your public IP address block is
200.200.200.0 to 200.200.200.255 and your managment box is 10.1.1.50, you
can set up NAT for the host so that users on the outside can access the box
at say, 200.200.200.50. In this configuration, NAT and the firewall take
care of the problem for you. This will make it accessible from the Internet
and take care of the 10 net issues. You can use this trick on any servers
that have a 10 dot address but need to be externally accessible, just make
sure you have a valid block of Internet routable IPs to link them to. Read
over NAT configuration some for the details on how to set it up.
Once you have crossed this hurdle, you should be working if SR is set up
properly. At that point, you can start testing and troubleshooting the SR
side of the problem. To answer your question about encryption with the
firewall module, the management station sets everything up for you when a
user starts an SR session, so the user only has to know the IP of the
management station when they set up the site. The firewall module is
transparent to them.
Good luck and hope this helps!
John Hathcock
Network Engineer
American Cancer Society
Date: Tue, 13 Jun 2000 13:21:53 -0500
From: Jason Witty <[EMAIL PROTECTED]>
Subject: [FW1] SecurRemote w/firewall and console separate
All,
I have what I would consider a fairly common setup for a large
enterprise, with an internal FW-1 4.0 3DES-SP5 management console
managing several remote 4.0 firewall modules. I have now been asked to
VERY rapidly implement SecurRemote which should terminate conections on
one of the firewall modules. The scenario is as follows:
Management Console has a single 10.x.x.x interface, and is licensed for:
controlx pfmx oseu vpnstrong connect motif srunlimit
Remote Firewall Module has an internal 192.168.x.x, an external public
interface (that I originally though would be the VPN termination
address), a DMZ interface, and is licensed for :
pfmx vpnstrong motif srunlimit
I need to get this up and working but have been running into ALL KINDS
of issues. Firstly, I'm hearing from everyone (including Phoneboy's FAQ
at http://www.phoneboy.com/fw1/faq/0202.html) that the SR sessions have
to negotiate with the managment console, NOT the firewall module. But
if that's true, then how does the *firewall* module do the decryption?
And what do I do differently in the SecuRemote config? Do I put the
management console in as the "Site Identification Name:" when building a
new config (I understand that to do this I'd obviously have to add a
static NAT for the console's internal 10-dot to something routable)?
Also, I will need to be giving access to Internet users who have
routable, static IPs, but they will need access to 10-dot internal
hosts. With that in mind, which encapsulated encryption protocol is
best there?
Much confused and MANY thanks in advance,
Jason
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
