Randall
>From what I can gather from the conversations that I have had with the
"owner" of the Checkpoint is he is using the Checkpoint's failover.
Just to let you folks know we created a connection between a stand alone CPW
and my pix and is worked great once I cleared up the SA. The config info can
be retrieved from www.cisco.com/warp/public/110/cp-p.html
I was just going to ping the far side LAN to create the error I was getting
yesterday when I hit the Cluster and I found that it is now working.
I talked to the owner just now and asked him what he did. He said he
modified the Vnats (?) manually and got it working. He will send me info to
detail what he did which I will pass on to you.
PS he plans to join the firewall list. {8->
-----Original Message-----
From: Paige, Randall [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 26, 2001 9:29 AM
To: 'Brian Ford'; Rod Cappon
Cc: [EMAIL PROTECTED]
Subject: RE: VPN tunnel between PIX and Checkpoint in a failover config
I would want to know whose failover functionality
is being used: CHeckpoint's failover feature or Nokia's VRRP. Also the
Checkpoint fw pair needs to be defined as a "Cluster" The Checkpoint needs
to SP3 or later and the follwing change needs to me made to make all packets
originate with the "CLuster IP"
1. Upgrade both management console and firewall module to FireWall-1 4.1 SP3
or later.
2. Add the IPSec_cluster_nat property to the :props set in the
$FWDIR/conf/objects.C on Management Module
:IPSec_cluster_nat (true)
-----Original Message-----
From: Brian Ford [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 24, 2001 10:01 PM
To: Rod Cappon
Cc: [EMAIL PROTECTED]
Subject: Re: VPN tunnel between PIX and Checkpoint in a failover config
Rod,
I hope that the CP Gurus can shed light on this.
If you configure the PIX to build an IPsec tunnel to a CP at xxx.xxx.xxx.0
and the CP at xxx.xxx.xxx.1 responds, the PIX won't want to build a
tunnel. Should it? I don't think so.
I have seen this before but it was resolved by not using the CP VPN
failover feature. Those folks didn't really give it a good college
try. They had to make it work (quickly within a change control
window). Maybe you will have better luck?
Liberty for All,
Brian
At 05:16 PM 10/24/2001 -0700, Rod Cappon <[EMAIL PROTECTED]> wrote:
>Message: 2
>From: Rod Cappon <[EMAIL PROTECTED]>
>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>Subject: VPN tunnel between PIX and Checkpoint in a failover config
>Date: Wed, 24 Oct 2001 13:39:47 -0600
>
>This message is in MIME format. Since your mail reader does not
>understand this format, some or all of this message may not be legible.
>
>------_=_NextPart_001_01C15CC3.A33F7E70
>Content-Type: text/plain;
> charset="iso-8859-1"
>
>I am trying to set up a LAN to LAN VPN tunnel between a Pix Firewall
>and
two
>Checkpoint Firewall set up in a Failover Configuration. The CPF has a
>virtual IP setup on the cluster and 2 real IP address on the firewalls.
>So the outside looks something like this xxx.xxx.xxx.0 = Virtual
>Firewall xxx.xxx.xxx.1=CPF #1 xxx.xxx.xxx.2= CPF #2. I own the PIX and
>another company owns the CPF. When I setup the PIX with the
>xxx.xxx.xxx.0 the reply comes from xxx.xxx.xxx.1. Has anyone seen this
>before and how did you solve it. This is a call I think to all you CPF
>gurus.
>
>
>Rod Cappon
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
