Here is a crazy one: You can try double nat each gateway/management to real ip and back.
Another interesting idea Is to make a site to site vpn with the gateways thus you can use your real address. Dori -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: Monday, March 28, 2005 1:34 PM To: [email protected] Subject: [FW-1] SIC between SmartCenter and Enforcement Modules with SmartCenter behind a NAT device I have the following situation: I have Checkpoint Management server is NG with AI R55W HFA_02 on SPLAT. This management server (aka smartcenter Server) has a private IP address of 192.168.1.10/24. The SmartCenter Server is sitting a Cisco Pix firewall running Pix OS 6.3(4). The SmartCenter is being statically NATed by the Cisco Pix firewall to a public IP address of 129.174.1.8 because the management server needs to be able to manage about four others "remote" Checkpoint Enforcement Modules across the Internet. The problem I am having with is that when I try to perform SIC between the SmartCenter Server and the Enforcement Modules. SIC KEEPS FAILING. I've been told that SIC does NOT work via NAT if the NAT device in front of the SmartCenter is NOT A CHECKPOINT FIREWALL. Checkpoint has a documentation on the workaround but it is really messy and not 100% full-proof. EVEN WITH CHECKPOINT FIREWALL, THERE ARE STILL LIMITATIONS WITH SIC VIA STATIC NAT. It seems the ONLY solution to this problem is to assign public IP address to the SmartCenter if there is non-checkpoint NAT device in front of the SmartCenter Server. Checkpoint SEs keeps telling me that this problem will be "fixed" in the next release (aka Dallas). Anyone is having similar issues that I have when using Smartcenter Server behind a NAT device (non-Checkpoint) to manage other remote Enforcement Modules and having big issue with SIC? Thanks. cisco4ng --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site! ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
