Recent content by martinp05

hello, maybe you can find all the documents on www.checkpoint.com. :) martin ---------------------------------- Martin Peinsipp, Austria CCSA, IT-Security-Administrator

Hello, Bypass nat is configured (between the VPN-Tunnel Edge-NGX). Yes, the secureclient can reach the network. Yes the certifificate exists as well. :) I know the request ist quite strange, but the customer is the king. :) Martin ---------------------------------- Martin Peinsipp, Austria...

Hello! I have the following issue: Between a VPN-Edge-Box (latest firmaware) and a NGX-Firewall there is a Site-to-Site-VPN configured. Behind the NGX-Firewall there is an other NGX-Firewall (SecureClient VPN-Endpoint). Behind the VPN-Edge-Box there is a ClientPC. This ClientPC should...

hello, before ssh is working, you have to configure a hostname + domain-name on the pix. then you must generate an rsa-key (ans save this key). then be sure only to access the pix with ssh-v1 (ios7 ssh-v2 works). martin ---------------------------------- Martin Peinsipp, Austria CCSA...

hello, try this two ones: 1) leave the username-flied blank 2) username: pix martin ---------------------------------- Martin Peinsipp, Austria CCSA, IT-Security-Administrator

hello guys, i got it: clear access-list Name_of_the_ACL counters martin ---------------------------------- Martin Peinsipp, Austria CCSA, IT-Security-Administrator

Hello! Is it possible to reset the hitcount for a configured access-list without rebooting/clear xlate/whatever the PIX-Firewall? Best regards Martin ---------------------------------- Martin Peinsipp, Austria CCSA, IT-Security-Administrator

hello, in 6.3 you have to configure eacht traffic which should not be natted. i know this can be a lot of work. i read something about version 7, that in this version everythink will not be natted, until you will do it...but i do not know if this realy works in version 7. check out: Optional...

hello, first: what you are doing for the traffic from inside to internet is not nat, it is pat. but anyway it will work. i think in version 7 the nonat-behaviour was changed.. in 6.3 you must make an nonat-accesslist. for example: nat (inside) 0 access-list nonat_inside --> no nat nat...

hello, you only can bind one access-group to one interface. but a access-group can handle several access-lists (as much as you want). so you can establish different rules to one access-group. this group can be applied to one interface... martin ---------------------------------- Martin...

hello, @rn4it: basicaly you are right, but the checkpoint "understands" voiceoverip (h323), so you do not need to enable traffic in both directions. the firewall will do this dynamically. if h323-traffic is started in both directons, you are right. the only thing you have to know is the...

hello joniels, yes i found that out as well. :) martin ---------------------------------- Martin Peinsipp, Austria CCSA, IT-Security-Administrator

hello, if you configure more than one syslog-server and if you configure to log the hole stuff (debug) the pix will need more cpu-power. i think if you use one syslog-server and log "only" the standard-stuff, there should not be a problem at all. if you need debug-messages you can configure...

Hello! Today i saw that the hole ms-netbios-traffic through the pix is very slow. has somebode any ideas? martin ---------------------------------- Martin Peinsipp, Austria CCSA, IT-Security-Administrator

Hello! I am quit new in administrating a callmanager-enviroment. i did not find the right answere here. so wil try to post my problem. i would like to forward our local it-support phonenumber based on a "timetable". from 9 to 5 the supportnumber should not be forwarded. after 5 a clock, this...