[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] NAT Issue
Hi, I suggest you check your firewall logs to see whether your incoming packets do get dropped by the firewall before they are routed to the internal interface I could not see any rule which allows incoming connections to the public IP of your internal machine. On the other hand the order of operations of fw-1 (quote from PhoneBoy) is 1.Inbound anti-spoof check (verifies the source IP is included in the interfaces "valid addresses" setting) 2.Inbound check against the rulebase (includes properties) 3.Routing by the OS 4.Outbound anti-spoof check (verifies the destination IP is included in the interfaces "valid addresses" setting) 5.Outbound check against the rulebase (includes properties) 6.Network Address Translation At #2 when the incoming packets are checked against the security policy you should still have the destination IP address as being the public (routable) one. Cristian boenning wrote: > > Hello, > > I've trouble with NAT, it works just in one direction. This is the > scenario: > Behind the Firewall resides a routable Network. Now I've added a new > Subnet to this > network which is hidden class. The routing between the routable internal > network and > the hidden class network is done by a sun. Routing at all works fine. I > could reach from > the firewall a hidden machine and I can reach the firewall from the > hidden machine. > (Just added a route to the firewall which adds the route to the sun > router for the > hidden net and the sun router defaults to the firewall). Now I want to > add NAT, so that > one of the hidden machines could reach the internet and the internet > could reach the hidden > machine. This should be done by static NAT. > I added a static arp entry for the valid IP with the hidden MAC. > I added the object with real IP and static NAT to the valid IP. > I added two rules with the object. > (BTW I changed spoofing also to get things to work) > 1.) hidden any any ... > 2.) any hidden any > > Any connection from the hidden machine to the outside works great (Just > the way it should). > But if I try to reach the machine from the outside I can't connect. > I.e. Outside traffics works, inside not. > I'v tried to track down the problem with snoop. > I could verify that the outside packets reach the firewall. I even could > verify that these > packets reach the sun router, but the don't reach the hidden machine. > Have I missed something on the firewall or does the problem belong to > the sun router, cause > the packets reachs the sun router. For both cases, any clue ? > > TIA, Dirk. > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|