Hi Gurus,
Please advise with the following scenario:
Checkpoint Secureplatform NG with AI R55w and the lastest HFA_04.
This firewall has 3 interfaces, Internet, Internal and Dmz.
I have a host in my Internal network with an IP address of 192.168.1.10.
This host is static NAT to the Internet with an IP address
of 129.174.1.8.
I have a host on the Dmz network work with an IP address
of 192.168.2.50. This host is static NAT to the Internet with an
IP address of 129.174.1.13.
The DNS server is being hosted by my ISP. The host 129.174.1.8 has
a Fully Qualified Domain Name (FQDN) of db1.newco.com and the host
129.174.1.13 has an FQDN of crm.newco.com.
Back to my network, the host 192.168.1.10 and the host 192.168.2.50
communicates with each other with the real address and everything is
working fine via IP adress.
Here is my problem:
The customer just recently migrated from a Cisco Pix to Checkpoint
Firewall. The customer has a propriatery application installed on
both host 192.168.1.10 and host 192.168.2.50. This application
communicates between host 192.168.1.10 and host 192.168.2.50 via
Fully Qualified Domain Name (FQDN). It means that the application is
embedded with the FQDN of db.newco.com and crm.newco.com in the
application itself. To make the matter worse, it looks up the name
via DNS. As you can see, it causes the problem because two hosts
behind the firewall trying communicate with each other via public
addresses.
With Cisco pix firewall, there is a feature called DNS doctoring.
For example, when host 192.168.1.10 communicates with crm.newco.com,
it goes to the DNS server, which sits outside the firewall, and get
a resolution of 129.174.1.13. Before, the reply comes back to host
192.168.1.10, the Pix firewall modifies the dns query and replaces
129.174.1.13 with 192.168.2.50.
Is there something similar that can be done with Checkpoint as well?
Right now, the workaround for me is to put up an Internal DNS server
and have host 192.168.1.10 and host 192.168.2.50 use that Internal
DNS Server. But the customer wants to use the Internal DNS server
for some other functions.
Please help. TIA
cisco4ng
---------------------------------
Yahoo! Photos
Got holiday prints? See all the ways to get quality prints in your hands ASAP.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
