Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] problems setting up a NAT

To: "'Stephen Hunt'" <[email protected]>, [email protected]
Subject: RE: [FW1] problems setting up a NAT
From: Amin Tora <[email protected]>
Date: Tue, 9 Jan 2001 10:08:28 -0500
Sender: [email protected]


If you are on NT you have to setup the ARP using the local.arp file:

make the file $FWDIR/state/local.arp   the format for the file should be:

<external ip of mailserver>	<mac add. fw ext. interface>

If you are on Solaris... you do an arp command:

arp <external ip of mailserver> <mac add. fw ext. interface> pub

(..remember though that when you reboot the arp entry on Solaris goes bye
bye.. so put this statement in a startup file (like
/etc/rc3.d/S99ArpEntries):

/usr/sbin/arp <external ip of mailserver> <mac add. fw ext. interface> pub

 :)


Amin Tora
ePlus Technology
http://www.eplus.com
NASDAQ: PLUS

-----Original Message-----
From: Stephen Hunt [mailto:[email protected]]
Sent: Monday, January 08, 2001 9:08 AM
To: [email protected]
Subject: [FW1] problems setting up a NAT



Hello all,

I am trying to setup a NAT for an internal mail server.  My existing
policy
covers outbound connections from the mail server out to the internet,
but I cannot reach it from the internet back inside.  I followed the
documentation on setting up a static NAT, creating an object for the
internal mail server and also for the external interface.  The real IP
is different from the external IP of the firewall, so I was sure to
put in the recommended arp statement so the router upstream will know
how to get to it.  So, now I can route to it, but I can't get anything
through the firewall inside to the mail server.  Here's what my policy
basically looks like:

1  Source: <mailserver-internal, with static NAT to external>
   Destination: Any
   Services: Any
   Action:  accept
   Install on:  Gateways

2  Source: <entire internal network>
   Destination:  Any
   Services:  Any
   Action:  accept
   Install on:  Gateways

3  Source:  Any
   Destination:  <mailserver-external, with static NAT to internal>
   Services:  Any
   Action:  accept
   Install on:  Gateways

4  Source:  Any
   Destination: Any
   Services:  Any
   Action:  drop
   Install on:  Gateways

Is this correct?  Of course I'll tighten down the services later, but I
want to make sure it works first.  On top of this I have added a route
as such:

route add <external IP of mailserver> <internal IP> 1

and updated the arp table with <external IP of mail server> with
<external MAC 
address of fw>.  The external IP of the mail server is different from
the
external IP of the firewall.

This ought to be simple, right?  Also, I don't have split-DNS on the
firewall
yet, but that shouldn't affect this basic routing/NAT config?

Well, this is driving me nuts, I hope you guys can help.

Thanks!


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] ping
Next by Date: Re: [FW1] possible port scan?
Previous by thread: [FW1] problems setting up a NAT
Next by thread: RE: [FW1] problems setting up a NAT
Index(es):
- Date
- Thread