[FW1] too many internal hosts detected x subinterface

Wed, 14 Feb 2001 07:20:06 -0800 


Hi,

        I´m getting this message from Firewall-1. My license is for 50
nodes. I´m sure that I have less than 50 nodes in my internal network.

        My Firewall-1 runs on a Solaris machine, with only two network
adapters. My external.if is configured with the name of the external
interface (elxl0).

        In /var/adm/messages I´m getting hundreds of EXTERNAL IP´s. It seems
like FW-1 is treating they as internal...

        Well, it seems like the problem is the external subinterface I have
configured. It is located in my external network, and it´s not in the
external.if.

         Ifconfig -a shows:

(external)              elxl0:
flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
                        inet x.x.x.x netmask ffffffc0 broadcast x.x.x.x
                        ether 0:10:5a:cc:cf:1d
(subinterface)  elxl0:1:
flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
                        inet y.y.y.y netmask ffffff00 broadcast y.y.y.y
(internal)              elxl1:
flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST> mtu 1500
                        inet z.z.z.z netmask ffffff00 broadcast z.z.z.z
                        ether 0:10:5a:aa:24:cb 

        The subinterface´s IP address belongs to a different subnet than
primary external interface. 
(I´m doing this because I have a static NAT for a internal server, and its
real IP address (published to internet) belongs to a network (class C) other
than the external primary interface. The NAT only worked after I configured
the subinterface, with IP address in the same IP network as the "NATed"
server.)

        I think that Firewall-1 is treating all IP´s that reach the
subinterface (located physically in the external network) as internal
addresses, and so my license is not sufficient.

        Is it right? Or could it be something else?

        If I´m right, I´ll have to try another solution, without the
subinterface? 
        
        Phoneboy´s says: "The external interface is often the interface
facing your Internet router. If you have more than one "external" interface,
you should be using an unlimited node license"

        This is bad.......... :(

 TIA,

 Oswaldo Gomes

        


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to