from ng fp3 to ngx r60 & Stonebeat to ClusterXL

[gaudì]

Hello!
We’re trying to upgrade our firewall system from Checkpoint NG FP3 (WinNT) to Checkpoint NGX R60 (Win2003).
In our reality actually Checkpoint works by using Stonebeat Fullcluster, we should go to ClusterXL.
We first exported the gz file to create in new firewalls all old rules, objects etc.
Then we replicate same route on new firewalls, so we started our lab by using Vmware (2 servers – 2 virtual server each to simulate Secure and Dmz) a notebook (to simulate an external client) a layer3 switch Cisco catalyst2950 (for 3 segments declaration-secure,dmz,public ) a router Cisco2600 (to simulate internet), finally our 2 server Checkpoint and a ManagementServer.
In old way when we had to publish a new site from one serverweb we should associate by route add serverweb ip address in each firewall, join new serverweb to a defined group verifying also internal static NAT address. Finally we have to propagate Checkpoint rules into Stonebeat by using his Gui.
Actually we published an asp page in a serverweb in Dmz. In secure we put a SqlServer and a DNSServer in AD. We used real ip address into virtual machines to match rules,objects,etc. Finally we try to reach asp page from different segments. From dmz to dmz (ok) from secure to dmz (ok), from public to dmz KO.
By using ethereal we saw that request arrives to serverweb but can’t send back asp page, it seems that NAT resolution won’t work.
We’re newby in ClusterXL so any suggest or resource about…
Thanks!
gaudì