-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David DeSimone schrieb: > Dennis Breithaupt <[EMAIL PROTECTED]> wrote: >>>> "Hide Cluster Member's outgoing traffic behind the Cluster's IP >>>> Address". >>> I always turn off this setting. >> That sounds interesting! The only reason in my opinion to turn this >> on is because auf SR/SC-client connects, because the RDP-probing, ESP >> and ISAKMP would be destined to and from the VRRP-IP. > > This traffic operates independently of the "Hide traffic" setting named > above. If your VPN's specify the Cluster Object as their endpoint, then > the cluster IP will be used for these connections regardless of whether > you perform Hide NAT at all. > > The mentioned setting only affects traffic originated by the OS running > on the cluster members, as far as I can tell. And I still cannot > conceive of a reason why that traffic ought to be hidden behind the > cluster IP. It means that the secondary firewall can never receive > anything. [...]
Do you use site-to-site VPN's besides SR/SC with VRRP-nodes, too? Because in the case of site-to-site, traffic could be originating/initiated from our node, too. In that case we would need the VRRP-IP as source and not the physical IP, too. Indeed we have specified the cluster object in all our vpn-communities, so that should be right. We were not able to test that in production, yet, but our CSP is on and is trying to clarify in the lab and with checkpoint. Regards, Dennis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFGodueT+6It6VVS5kRApEGAJoDcWC23OW3HbPI/lAf/jLTAPZBOwCfWO5L tWXpcZTMsAZlx2B0xQpcaXA= =aOSO -----END PGP SIGNATURE----- ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
