RE: [FW1] Multiple Border FW-1's, SR now broken

Wed, 14 Mar 2001 13:05:11 -0800

Title: RE: [FW1] Multiple Border FW-1's, SR now broken
SR Client seems to get a filled-in userc.C file, but I can't find any entry in logviewer for a topology download.
 
Trying to ping or otherwise access anything on the inside fails.
 
Logview does show the SR client with successful decrypt, but not entries such as Ping (icmp) that I would expect to see.
-----Original Message-----
From: Gibson, Brian [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 14, 2001 3:37 PM
To: 'Tom Sevy'; FWList (E-mail)
Subject: RE: [FW1] Multiple Border FW-1's, SR now broken

A little more information would help.

How is SR broken?  Do you not get any encrypted packets through the 440s or can you not even download a topology?  Did you do a sniff on the internal interface to see what was going on?

-----Original Message-----
From: Tom Sevy [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 14, 2001 3:00 PM
To: FWList (E-mail)
Subject: [FW1] Multiple Border FW-1's, SR now broken



Had two IP440's in HA, and SecuRemote worked, in this scenario:

IP440/IP440 HA
Multiple internal hidden/nat networks
192,168.99.0/24, 192.168.100.0/24, 192.168.101.0/24, etc


Added an IP330 so that IP330 is default gateway for 192.168.99.0 internal
lan, and IP440(s) remain default gateway for other segments.  Reason being
that what is behind the IP440 pair is critical, and what is behind the IP330
is non-critical.  So we can afford to go down on the IP330 but not on the
IP440s.  And we wanted to keep the data flowing between 192.168.99.0 and the
other internal zones handled by the IP330, leaving the IP440's to handle
(again) the critical tasks.



IP330                     IP440/IP440 HA
192.168.99.0/24           Multiple internal hidden/nat networks
                          192.168.100.0/24, 192.168.101.0/24, etc

The IP330 is running IPSO 3.3, and FW-1 4.1 SP3

The IP440s are running IPSO 3.2, and FW-1 4.1 SP2


Any suggestions on how this should be setup?  With the IP440s, before the
IP330 came on, IP440-A was the default gateway for SR connections, and it
listed IP440-B as the backup.



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to