Oops .. Sorry I misunderstand you ... Many thanks Sergio.
Sergio Alvarez wrote:
Dude, it IS possible.
Check what I wrote:
"but the deal here is proxy arp won't work automatically. *To make that
work, you must edit $FWDIR/conf/local.arp* "
So, there is your solution. Create as many manual NAT rules as you need and
then edit the local.arp file, including the 2 public IPs you are going to
use, associated with the external interface MAC Address. Bare in mind since
this is an HA cluster, you must edit such file on both members and use the
external interface MAC address of each one of them (this is because you are
in an active/standby mode, if you move to a load sharing scheme that could
change, but don't worry about it if you don't plan to change that soon).
Hope this helps.
On Thu, Feb 19, 2009 at 6:56 AM, Sergio Alvarez <[email protected]> wrote:
Hello,
You can use NAT in 2 ways with CheckPoint to publish services and it is NOT
necessary for the public IPs used for that matter, to be assigned to the
cluster itself.
1) Automatic NAT: Just create an object representing the internal server
you want to publish (with its private IP) and in the NAT tab of the object,
enable STATIC and type the public IP you want to use to publish this server.
Install the policy and Check Point will make sure to add the necessary
changes to do proxy arp.
2) Manual NAT: This scenario will be required if you need to do port
redirection because you must use the same public IP for more than one
service due to lack of enough public IPs (scenario described above works in
a one by one basis only). Here you need to go to the NAT tab of your Smart
Dashboard and manually create the required NAT rules, but the deal here is
proxy arp won't work automatically. To make that work, you must edit
$FWDIR/conf/local.arp (usually it won't be there by default and you must
create it). The contents of such fle is just a list of IPs and corresponding
MAC Addresses separated by a space, one by line. Documentation says you must
restart a gateway after editing that file, but I have come to reallize a
simple policy installation makes the changes take efect.
I hope this info will help.
Regards
On Thu, Feb 19, 2009 at 4:01 AM, carlopmart <[email protected]> wrote:
Hi all,
I have recently installed two CheckPoint NGX R65 HFA40 nodes under RHEL3
ES with ClusterXL in HA mode (new HA mode only, without load sharing). I
have 6 public ips assigned like this:
.1 = Router
.2 = checkPoint node1
.3 = checkpiint node2
.4 = clusterxl ip
.5 = free
.6 = free
My problem is: how can I assign .5 and .6 ip's to this cluster and use it
to publish some public services as a web servers??
Using proxy arp?? but how??
Many thanks for your help.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scanned by Check Point Total Security Gateway.
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
--
Sergio Alvarez
+(506)88301342
--
CL Martinez
carlopmart {at} gmail {d0t} com
Scanned by Check Point Total Security Gateway.
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
