[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] problems setting up a NAT
If you are on NT you have to setup the ARP using the local.arp file: make the file $FWDIR/state/local.arp the format for the file should be: <external ip of mailserver> <mac add. fw ext. interface> If you are on Solaris... you do an arp command: arp <external ip of mailserver> <mac add. fw ext. interface> pub (..remember though that when you reboot the arp entry on Solaris goes bye bye.. so put this statement in a startup file (like /etc/rc3.d/S99ArpEntries): /usr/sbin/arp <external ip of mailserver> <mac add. fw ext. interface> pub :) Amin Tora ePlus Technology http://www.eplus.com NASDAQ: PLUS -----Original Message----- From: Stephen Hunt [mailto:[email protected]] Sent: Monday, January 08, 2001 9:08 AM To: [email protected] Subject: [FW1] problems setting up a NAT Hello all, I am trying to setup a NAT for an internal mail server. My existing policy covers outbound connections from the mail server out to the internet, but I cannot reach it from the internet back inside. I followed the documentation on setting up a static NAT, creating an object for the internal mail server and also for the external interface. The real IP is different from the external IP of the firewall, so I was sure to put in the recommended arp statement so the router upstream will know how to get to it. So, now I can route to it, but I can't get anything through the firewall inside to the mail server. Here's what my policy basically looks like: 1 Source: <mailserver-internal, with static NAT to external> Destination: Any Services: Any Action: accept Install on: Gateways 2 Source: <entire internal network> Destination: Any Services: Any Action: accept Install on: Gateways 3 Source: Any Destination: <mailserver-external, with static NAT to internal> Services: Any Action: accept Install on: Gateways 4 Source: Any Destination: Any Services: Any Action: drop Install on: Gateways Is this correct? Of course I'll tighten down the services later, but I want to make sure it works first. On top of this I have added a route as such: route add <external IP of mailserver> <internal IP> 1 and updated the arp table with <external IP of mail server> with <external MAC address of fw>. The external IP of the mail server is different from the external IP of the firewall. This ought to be simple, right? Also, I don't have split-DNS on the firewall yet, but that shouldn't affect this basic routing/NAT config? Well, this is driving me nuts, I hope you guys can help. Thanks! ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|