[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] NAT fails on adhoc basis - Anybody encountered this before ?
There is a method to correct this. However, not available to me at this very moment. Will post it tomorrow. > Dan Hitchcock wrote: > > I have also seen this happen when using automatic NAT rules - the > firewall is NATting fine, then suddenly, with no explanation, private > addresses start leaking to the public network. Nothing in the > firewall logs, nothing in fwd.elg, the NAT xlate state tables aren't > full, fw ctl pstat looks fine, etc etc. > > The fix has been to create manual NAT rules in the address translation > rulebase rather than automatic NAT rules on the objects themselves. > > BTW, Hey Check Point, what's up with this? I've never found a > satisfactory explanation anywhere for this, and the problem persists > right up through 4.1SP4 (have seen it as early as 4.0SP1). > > Dan Hitchcock > CCNP, CCSE, MCSE > Security Analyst > Breakwater Security Associates, Inc. > "Safe Harbor for E-Business" > dhitchcock (at) breakwatersecurity (dot) com > http://www.breakwatersecurity.com >work > > The information contained in this email message may be privileged, > confidential and protected from disclosure. If you are not the > intended recipient, any dissemination, distribution or copying is > strictly prohibited. If you think you have received this email > message in error, please email the sender at > [email protected] > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Tuesday, September 04, 2001 2:56 AM > To: Siow Yun Patricia > Cc: [email protected] > Subject: Re: [FW1] NAT fails on adhoc basis - Anybody encountered this > > before ? > > do you have any "halloc failed blah blah" in you fwd.elg? > > maybe you run out of kernerl memory, you can try to increase > fwhmen > on /etc/system as shown: > > set fw:fwhmem=0x900000 > > this number is calculated for my config, i think there is an > phoneboy > article covering this issue. > > Raúl. > > Siow Yun Patricia <[email protected]>@lists.us.checkpoint.com > con > fecha 03/09/2001 05:59:24 > > Enviado por: [email protected] > > > > De Siow Yun Patricia > <[email protected]> > > @lists.us.checkpoint.com > --------+ > -----------------------------------------------------+ > > A > --------+ > -----------------------------------------------------+ > > Copias > > a > --------+ > -----------------------------------------------------+ > > CCI > --------+ > -----------------------------------------------------+ > Fecha 03/09/2001 > 05:59 > --------+ > -----------------------------------------------------+ > Tema [FW1] NAT fails on adhoc basis - > Anybody > encountered this before > ? > --------+ > -----------------------------------------------------+ > > Hi all ! > > Have any administrators encouter this problem before ? > > Setup : > Checkpoint 4.1 sp4 on pair of Sun Ultra 10s Solaris 7. > Implements > stonebeat > fullcluster for HA and load balancing solution. Implements VPN > with > use of > SecuRemote. > > Problem : > NAT fails without reason adhoc basis. > Noticed that after pushing out the same policy with minor > changes to > the > firewall many times (during testing). NAT fails to work even > though > it has > previously worked before. What's odd is that after creating a > new > rulebase > and creating a set of rules and NAT exactly the same as before. > Pushed it > out to the nodes again. NAT works. > > Are there any state files or config files to remove and check > without > the > need to re-create a new policy everytime ? > > Thanks in advance. > > Rgds, > Patricia > > > ================================================================================ > > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > > ================================================================================ > > ================================================================================ > > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ -- Juan Concepcion Network Security Engineer CCSA CCSE [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|