2 IP120 + Firewall-1 VPN-1 + 1 Management Server

[lancelote]

Hello,

well, I have install 2 module enforcement of checkpoint NG FP3 on 2 Nokia IP120. It's work well.

Now i want to install policy on each Nokia via a Management server on a local network inside one Nokia IP120.

Explanation :

local local
10.0.1.0/24 192.168.1.0/24
| |
__|________________|___________
| |
| IP120 |
|with enforcement mudule NG FP3 |
---------------------------------------------
|Public IP like 223.99.89.1/24
|
|
__________
| |
| Internet |
--------------
|
|
|public IP like 212.55.46.1/24
_________________________________
| |
| IP120 |
|with enforcement mudule NG FP3 |
-----------------------------------------------
|local like |
|10.0.0.1/24 |
| |
| local like 192.168.0.0
|
|
|10.0.0.2
-------------------------
|Management server |
-------------------------



so i would like to manage the 2 module using my management server being in a local network.

My probleme is to install policy on the Nokia IP120 through internet.
For installing policy on the local Nokia IP120 there is no problem and it's needed to install the distant policy for NAT to the management server. So after that i have got a connected distant Nokia IP120 on the SmartStatus.
well !

after that i try to install policy on the distant Nokia IP120 but it's failed to finish installation. It begin to and a part of it is install but after i am disconnected from the distant Nokia in the SmartStatus and the installation of the policy timed out.
What NAT or option must i take to install correcly the policy on the distant Nokia IP120?


LaNceLoT

 

[ChrisAC]

Just NAT the management server to another IP address and put a rule in that allows that IP address management access to both Nokia's, local and remote.

As long as you have SIC set up correctly this should work just fine.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[lancelote]

ok there is no pb for this one now without VPN communites. My fault was that was no name's resolution for the management server. It was solved by putting the adress of the external interface of the local Nokia IP120 for the name the internal certificate.
well ! one time before i was arrive to do this but i was not remember how so it's nice now.

But now my other probleme (for 2 weeks ago now) is when i install the VPN. when i put VPN there is many thing that appear.
First one i install well the policy on the local Nokia.
The second is that i can't anymore ping ths external interface of the distant Nokia however i ve got roule that alow this. One rule that allow the management to get out of the Nokia, one rule that allow any to access the management and one rule that allow any to access external interface of each Nokia. The message of error in the smartTracker is "encryption failure: no resonse from peer".
The third is that in the SmartTracker i've got one line who say my management server want to access my distant Nokia in the service CPD_Amon. i've got my rule number 1 who accept and one implied rule (no number) who denied access and said : "TCP sequence validator: dropped packet with invalid ACK number".

I hope i was clear and hope you can help me to solve this

 

[lancelote]

No one know ?


LaNceLoT

 

[lancelote]

I have solve the probleme. That was the NAT rules was Hide and we need static NAT to the management server.

Thx

LaNceLoTe


LaNceLoT