Greetings!
Mike Glassman - Admin schrieb:
> Yes, we use security servers (CVP).
> Have you managed to find a workaround ? This causes major problems as I'm
> sure you imagine when trying to shape the data to the internet, as I do not
> want to shape data to and from the valid FW external leg.
>
> > -----Original Message-----
> > From: Volker Tanger [SMTP:[EMAIL PROTECTED]]
> > Mike Glassman - Admin schrieb:
> > > my Router, using a shaping/logging tool we have, I see that the Proxy is
> > > going out on the FW's legal Internet address and not as the NAT'd
> > address I
> > > gave it.
> >
> > You are using the security servers (i.e. rules with ressources) I assume?
> > Checkpoint seems to be behaving like a standard proxy in that case
It seems that that is a known "beature" - anytime security servers are used the
Checkpoint behaves like a proxy - with NAT having no effect. See the FAQ
articles:
* http://www.phoneboy.com/faq/0190.html
* http://www.phoneboy.com/faq/0049.html
As for a workaround I cite the FAQ: "There is no way around this."
One idea is to use the AntiVirus server as relay proxy - instead of using CVP.
Then you could use HTTP without a ressource for outgoing - which will enable
NAT.
One weird, non-tested idea - if you do not want to configure all your clients:
* set up the AV server (in DMZ) as proxy
* allow "Interal" to "Any" using URI ressource and point to the AV as
upstream proxy
* allow the AV proxy HTML out (without resource) to "Any"
Warning: this is just a quick shot - untested and non-researched. But I'd be
highly interested wether this will work as thought.
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
