Hi Andrew, I am not NATting anything. I used the sdopts.rec method and it works. Thanks for your help. That being said, I downgrade the firewall from NGx R61 with an NG Feature Pack 3 firewall and it works WITHOUT the sdopts.rec file. It also works with NG with AI R55w WITHOUT the sdopts.rec file. I only have this issue with NGx R61. The setup is identical in all 3 cases. Thanks again.
Andrew W Barkley <[EMAIL PROTECTED]> wrote: Hi ... For a good explanation see "Checkpoint Solution ID: #sk30992" (Integrating RSA ACE server with NG with AI R55 gateway cluster, for SecurID authentication) Example1: 1) If you do NOT source nat SecurID traffic, you have to create an independant agent host for each firewall in the cluster, then you would include only each gateway's routable IP (routable to the SecurID server) in the sdopts.rec Example2: 2) However, if you are source natting your SecurID traffic (which is what happens anyway with "cluster hide & cluster fold"), you would only have to create one agent host (for the cluster), then you would include only the cluster's routable IP (routable to the SecurID server) in the sdopts.rec In general configure as folllows: NOTE: Create NAT rule to NOT nat cluster gateways > SecurID server 1) Create Agent Host for each gateway (SecurID administration) Agent Type = Unix Agent i.e. Unix/Linux etc ... Agent Type = Communication Server i.e. Cisco/Nokia etc ... 2) Modify user auth = SecurID 3) Add each gateway to SecurID server /etc/hosts 4) Ensure SecurID ports open between gateways & SecurID server 5) Create /var/ace (root)(rw) on each gateway, generate sdconf.rec, copy to /var/ace/ 6) Create /var/ace/sdopts.rec, enter CLIENT_IP="your gateway source IP" (routable to SecurID server) 7) Restart each gateway (cpstop && cpstart) 8) Tail SecurID logs whilst logging into gateways (SecurID) for any errors etc Best regards Andrew -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cisco4ng Sent by: Mailing list for discussion of Firewall-1 10/07/2007 14:20 Please respond to Mailing list for discussion of Firewall-1 To [email protected] cc Subject [FW-1] SecureRemote with SecurID authentication for Checkpoint NGx R61 firewall Hi All, I've spent a day on this without much success. Enforcement module is Checkpoint NGx R61 with HFA_01 on Nokia IPSO 4.1 build 33. Just a single firewall but I am running Nokia VRRP on the enforcement module SmartCenter is Checkpoint NGx R61 with HFA_01 on Nokia IPSO 4.1 build 33 as well. Everything is running on eval license. RSA SecurID is running on Windows 2003 Enterprise Server SP2. I also SmartConsole installed on this server as well. Nokia Enforcement module has an IP address of 10.209.84.36/24 with the VRRP ip address of 10.209.94.35. SmartCenter has an IP address of 10.209.84.37/24. RSA SecurID has an IP address of 10.209.84.27/24. I create an account on the RSA server called "testme" and give it Administrator privilege. I also created an agent host for SmartCenter. I then generate the file sdconf.rec for this agent host and dump it into the /var/ace directory of the Smartcenter. Then I cpstop;cpstart the SmartCenter. I then create an admin account on the Smartcenter and give it SecurID. I can get log into the Smartcenter with account I created on the RSA Server just fine. Everything is good so far. I then created another agent host on the RSA server for the Nokia firewall. on the Agent host for the nokia firewall, I specified "communication server". I specified the ip address 10.209.84.36 for the agent host; on the "secondary nodes", I specified the VRRP address of Nokia firewall. I then generated the sdconf.rec file and dump it into the /var/ace directory of the Nokia firewall. I then perform "cpstop;cpstart" on the nokia firewalls. I created "generic*" account with external profile on the smartcenter and assigned "SecurID" for authentication. I then created a group users called "test-group" and have generic* as member. I then created a secureremote vpn rule via simplified mode. Finally I push the policy. Now everything I try to authenticate via SecureRemote, I always see the message on the RSA server log file as: testme/dca2-nokia-1-P access denied, bad user password. I know that I have the right password because this testme account is the admin account that I use to log onto the RSA server itself. I've seen this error in the past and to fix it, I have to regenerate a new sdconf.rec file. However, I've done it about 20 times already this time around and it is still not working. Can someone help please? Thanks. --------------------------------- Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. Check it out. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
