Hi all,
two old enemies are allying with each other to pop up in my nightmares.
Two firewalls, Windows 2000 SP4, CheckPoint R55 HFA03 - the latest.
Inside and DMZs, vanilla hub/switches.
Outside, a hub connects the cluster to a couple of Cisco routers configured
for HSRP redundancy.
Tried out several configurations for the cluster, but the frustrating
results seem to indicate there are serious problems having static NATs to
work when working with the cluster: cannot reach NATed services from the
outside.
If I delete the cluster object, assign the Virtual IPs to physical
interfaces to one node while the other is off, it works like a charm.
Automatic ARP does it, OR I can turn it off and use local.arp file.
Working with the cluster is a bit different: outgoing traffic (hidden behind
cluster external interface) works, inbound traffic doesn't get to the
servers.
A little troubleshooting seems to blame ARP for it all. When using automatic
ARP, no luck. Using local.arp file, makes no difference. Tried even
fwparp.exe, but it worked a few hours then stopped (maybe when the router's
arp cache flushed).
I tried using unicast load sharing, multicast (even if my routers seem not
to like mcast very much), HA new mode. Didn't try legacy mode yet, just
because it is deprecated by CP's documentation.
What turns out in every case is that the cluster seems able to ARP out for
the cluster virtual IP address, but can't do it for NATed addresses, no
matter how I try to set it up.
Using automatic ARP it looks like it doesn't arp at all.
Using local.arp would arp on both nodes, confusing the router (and it seems
the effect is like no ARP at all...)
Are there any experiences you can share on how to configure the cluster in
such a configuration? Is it possible to make it work with static NAT? Should
I use automatic ARP or what?
Thanks you all in advance...
NA
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
