Hugo, The option you referred to is available since version R55. Under the CMA NAT, there is a box that you check to tell that this is your management traffics. What you said is entirely accurate but ONLY IF the firewall in front of the CMA is a checkpoint firewall. The NAT device I have in front of the P-1 is a cisco device, NOT checkpoint. Therefore, it does not apply in this situation.
I found out something else. In NGx R65, even when I have static one-to-one NAT the P-1 ip address, user(s) on the internet can NOT connect to my P-1 box via the MDG either: ip nat inside source static 192.168.1.1 4.2.2.3 access-list External permit ip any any log In other words, even in this configuration, user(s) on the internet can NOT connect to P-1. The whole setup, both hide NAT and static NAT, works fine in NG AI R55. this must be new in NGx or something. Checkpoint has broken something along the way, as usual. Hugo van der Kooij <[EMAIL PROTECTED]> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 cisco4ng wrote: > Hi all, > > I have question regarding Provider-1 and NAT. > > I have provider-1 NG with AI R55 with HFA_20 running on Linux. > The IP address of the P-1 is 192.168.1.1/24. The P-1 sits behind > a Cisco router and the router has private ip address of > 192.168.1.254/24. The router also has a public ip address of > 4.2.2.2/24. I have the configuration on the router: > > ip nat inside source static tcp 192.168.1.1 18190 interface Ethernet0/0 18190 > > In other words, anyone from the Internet with P-1 MDG connecting to > IP 4.2.2.2, with the right credential, can connect to my P-1. That > works flawlessly with P-1 NG/AI R55. > > Today, I upgrade the P-1 box to NGx R65 w/ HFA_02 and now users on > the internet can not connect to the P-1 box via the MDG anymore. I get > the fingerprint message but after that, I get the message "failed to > launch application", and the MDG crashed after that. > > When I connect from to the P-1 box with MDG from any machine in the > 192.168.1.0/24 network, it works fine so P-1 is not an issue. By the way, > I configure P-1 to accept connection from ANY hosts. > > Does checkpoint make any changes in NGx MDG connection? What used > to work in AI now stops working in NGx I do not know why. Can you try with another NAT solution? Like a test standalone SPLAT just to see if the issue is not an obscure combination of Check Point and Cisco? Did you check if support for NAT is enabled on management traffic? (Just from the top of my head so I can not tell you the exact location but I recall there was something to this regard added in NGX.) Hugo. - -- [EMAIL PROTECTED] http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHOifeBvzDRVjxmYERAoq4AKCOiruE+/zgSQHTkvOvEJuTT5qArgCgnW43 Bcm0bImw98kSHkdSmlHEbHc= =QAaE -----END PGP SIGNATURE----- Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
