Hi guys, I'm a Checkpoint DMZ virgin, have to admit, and because of Citrix and alternate address requirements I more or less have to setup a DMZ interface using some of our block of 12 public IP addresses on the servers therein as opposed to just using our existing private 192.168.x.x network and NATing servers to our public IP addresses as I usually do (which may or may not be optimal). I have an IP110 with IPSO 3.5FCS7 and 4.1 SP-6.
This is the existing setup: Internet Router | | (eth-s1p1) IP110 (eth-s2p1)-- Private 192.168.x.x network with Hide NAT, some servers NATed to public IPs (eth-s3p1)-- unused My desired config would look like this: Internet Router | | (eth-s1p1) IP110 (eth-s2p1)-- Private 192.168.x.x network with Hide NAT, some servers NATed to public IPs (eth-s3p1)-- DMZ w/Public IPs I just spoke to Nokia support about setting this up and got the following information, though the guy seemed somewhat unsure of his advice: 1) in Voyager, setup eth-s3p1 with another IP address from our Public block (as per how the eth-s1p1 external interface is defined) 2) in FW-1, define the eth-s3p1 network 3) creates rules, address translation between the eth-s2p1 network and eth-s3p1 network, etc. Is that basically all there is to it? Will having some of our block of public IP addresses NATed from the private network on eth-s2p1 conflict with the others on eth-s3p1, even if they are not the same addresses (of course)? Also, is it necessary to waste a public IP on the eth-s3p1 interface itself? I know that on Sonicwalls, you do not have to have an IP for the DMZ interface itself, just for the devices on that interface. Perhaps I could set the public Hide NAT IP (for the private network on eth-s2p1) to the public address of the eth-s3p1 interface, so as not to use another IP up? Would there be problems with that? thanks, Chris ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
