NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Nokia VRRP NAT problems




I have the following problem with a Nokia IP440 VRRP setup ...

This is the setup :

SiteA-----| FWA|-----|xDsl-modem|----------   internet
------------|Cisco-router|------|Gateway-clusterB|-----|MgmtB|----SiteB

FWA = single gateway, v4.1SP2 on NT4
Gateway-clusterB = 2 Nokia's IP440 (FWB1 and FWB2) with VRRP monitored
circuits and load-balancing, v4.1SP2 on IPSO 3.2.1
MgmtB = Management server for Gateway-clusterB, v4.1SP3 on Win2K
SiteA = 172.26.x.y, hidden behind valid IP of xDsl-modem (IP a.b.c.d)
SiteB = 172.25.x.y, with static NAT from valid IP's  e.f.g.x  to servers on
SiteB

SiteB is hosted at a provider, so there are no employees on SiteB and a
gui-client on SiteA is used to push the rules from MgmtB to
Gateway-clusterB

On every subnet around Gateway-clusterB there are 2 virtual routers defined
(for load balancing), each gateway is master of 1 virtual router.
MgmtB uses as default gateway the virtual router of which FWB1 is the
master, and its IP 172.25.m.n is statically NAT-ed to valid IP  e.f.g.n

VRRP-failover has been tested and seems to work correctly.

First problem
-------------------
I have to use the internal addresses in network objects FWB1 and FWB2.
When I try to use the external addresses, the management server MgmtB can't
download it's rules to FWB2.
When I ping from MgmtB to the valid address of FWB1 I get this :

Source               Destination           XlatedSrc           XlatedDst
Service
172.25.m.n        FWB1_valid         MgmtB_valid    FWB1_valid
ping-request
FWB1_valid    172.25.m.n
ping-reply

>> For some reason FWB1 sends its reply directly to the internal address of
MgmtB

When I ping from MgmtB to the valid address of FWB2, I get :

Source               Destination           XlatedSrc           XlatedDst
Service
172.25.m.n        FWB2_valid         MgmtB_valid     FWB2_valid
ping-request
FWB2_valid    MgmtB_valid        FWB2_valid      MgmtB_valid    ping-reply,
which never arrives at MgmtB !!!

Because I have to use the internal addresses in the network objects FWB1
and FWB2 to workaround this, I expect problems setting up VPN's between
SiteB and other sites (SiteC, SiteD,...)

Second problem
------------------------

When an internet client sends a packet to a valid address on SiteB, the
reply is send back with the internal address of the corresponding server as
source address, not it's valid IP as would be expected.

Both problems seem to be address translation issues, although the address
translation rules are fairly straightforward :
2 rules for each server, and first rule disables NAT between the internal
networks behind the cluster.

I tried several things, including using manual NAT-rules, disabling the
first NAT-rule and upgrading both FWB1 and FWB2 to SP2 (they came with
SP1), but nothing worked.

Any ideas ?


------------------------------------------------------------------------------------------------------

Philippe Verdonck
Sr System Engineer
Erudict  Antwerpen NV
Desguinlei 250
B-2018  Antwerp
Belgium
------------------------------------------------------------------------------------------------------


__________________________________________________
The information in this Internet e-mail is confidential and may be legally
privileged. It is intended solely for the addressee.
Access to this Internet e-mail by anyone else is unauthorized.

If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on it,
is prohibited and may be unlawful. When addressed to our clients any
opinions or advice contained in this Internet e-mail are subject to the
terms and conditions expressed in any applicable governing LCI Technology
Group terms of business or client engagement letter.



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.