Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

StoneBeat Full Cluster Load Balancing

51 views
Skip to first unread message

Daniel Ma

unread,
Nov 18, 2000, 1:52:20 AM11/18/00
to
We have two Checkpoint FW-1 4.1, and running Stonebeat Full cluster,
configured as Load Balancing. The traffic from DMZ and Hide Mode NATed Local
Net works smoothly. However, we have a server doing Static NAT, the packets
go out from one firewall, might return to the other!!! The other firewall of
course could not recognise the session, they just dropped the packets.

We are using Cisco router. I have already done following:
1. In the checkpoint firewall policy, configure Static NAT (Automatic);
2. In the checkpoint firewalls, set static route from <Server's public IP>
to <Server's internal IP>;
3. In Cisco router, Configured Static ARP record for Stone beat Multicast
MAC address;
4. In Cisco router, Add static route from <Server's Public IP> to <Firewall
external Virtual IP>

The server's public IP is within the same range of Router's LAN interface.


Thanks,

Daniel


Obiwankenobi

unread,
Nov 19, 2000, 3:00:00 AM11/19/00
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Did you modify the filter.conf with the NAT entries ?

Bye, Obiwankenobi

- ---------------------------------------------------------
Email: obiwan...@deathstar.ch
Web: http://www.deathstar.ch

PGP Public Key: http://www.deathstar.ch/about/files/Obiwankenobi.asc
PGP Key: C280 EC1C 42F0 F838 1AF5 9824 47AA 28DA C96D 9977

May the force be with you !
- ---------------------------------------------------------


"Daniel Ma" <dani...@infonet.com.sg> wrote in message
news:a94M0sS...@bassett.us.checkpoint.com...

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOhfqfUeqKNrJbZl3EQJolQCg85TCZHPFujzrMjIBRbYDx8aoCzwAoOSA
wF6TfUECHxVTP78E9xA+CU5e
=mX0s
-----END PGP SIGNATURE-----


Daniel Ma

unread,
Nov 19, 2000, 8:13:17 PM11/19/00
to
Hi, Obiwankenobi,

Could you explain more detail on how I should modify the filter.conf?

Thanks,

Daniel


"Daniel Ma" <dani...@infonet.com.sg> wrote in message
news:a94M0sS...@bassett.us.checkpoint.com...

Daniel Ma

unread,
Nov 20, 2000, 3:00:00 AM11/20/00
to
Hi, Obiwankenobi,

I have tried to edit the filter.conf file about the NAT, also I have done
the NAT installation in WEB GUI configuration. But it still not work.

Regards,

"Obiwankenobi" <obiwan...@deathstar.ch> wrote in message
news:SJyyEBk...@bassett.us.checkpoint.com...


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi
>
> Did you modify the filter.conf with the NAT entries ?
>
> Bye, Obiwankenobi
>
> - ---------------------------------------------------------
> Email: obiwan...@deathstar.ch
> Web: http://www.deathstar.ch
>
> PGP Public Key: http://www.deathstar.ch/about/files/Obiwankenobi.asc
> PGP Key: C280 EC1C 42F0 F838 1AF5 9824 47AA 28DA C96D 9977
>
> May the force be with you !
> - ---------------------------------------------------------
>
>

> "Daniel Ma" <dani...@infonet.com.sg> wrote in message
> news:a94M0sS...@bassett.us.checkpoint.com...

Otto

unread,
Nov 21, 2000, 3:00:00 AM11/21/00
to

"Daniel Ma" <dani...@infonet.com.sg> wrote in message
news:IamPt4o...@bassett.us.checkpoint.com...
: Hi, Obiwankenobi,

:
: Could you explain more detail on how I should modify the filter.conf?

You'd need to set up the tunnel statement in the file in question, which
bonds the VPN connection to a single firewall. The syntax as follows:

tunnel = <endpoint (local firewall IP)> <endpoint (remote firewall IP)>
<network (remote network ID of subnet> netmask <mask (mask of remote
subnet)>

There is a space between the IP addresses and you'd need to spell out the
"netmask". Sounds like you're using LunaVPN accelerator cards, are you?

Otto


Steven Decker

unread,
Nov 29, 2000, 3:00:00 AM11/29/00
to
Have you made sure to enable state table synchronizationon both firewalls?
0 new messages