Hello everyone!!!
We ask for the community help for solving the following configuration.
First of all, we have an ISP cluster of routers and a Checkpoint cluster. It's a very simple configuration. There is a /29 public IPs that the ISP routes to checkpoint.
ISP routers and Checkpoint are connected via a routing network, with private address (10.100.250.0/24).
So, 10.100.250.1,2,3 are the IPs on routers side, and 10.100.250.252,253,254 are the checkpoint cluster addresses. The ISP routes the public range to ip 10.100.250.254 (checkpoint virtual ip).
There is no public address on the checkpoint cluster. We have some services published with some NAT rules.
But, we want to enable the Mobile portal, and be able to create site-to-site IPSec tunnel.
The problem we have is that we cannot make "https://<publicip>/sslvpn" URL work, because there is no public ip on the Checkpoint. We cannot make NAT 1-to-1 for the firewall itself. We tried with Proxy ARP, with no success. It worked with an interface alias on one of the checkpoint, but it's not supported with ClusterXL (and cannot add another virtual ip on the external interface).
There is two possible solutions (changing interconnect network):
- 3 public ips on checkpoint cluster external interfaces and 3 public ips on router cluster
- 1 public ips on checkpoint cluster external interfaces and 3 public ips on router cluster (sk32073)
But we only have 6 public IPs, and don't want to wasted on the routing network.
is there anyone with a similar configuration?
Thank you in advance for the help!!
Best regards,