Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] (Still having) NAT Problem

To: [email protected], [email protected], [email protected], [email protected]
Subject: Re: [FW1] (Still having) NAT Problem
From: "Eddy Chien" <[email protected]>
Date: Thu, 04 Oct 2001 06:39:32
Sender: [email protected]

Hi Satana,

I believe those rule 0 you were referring to were cause by anti-spoof rules. It got me all the time when I set up a new firewall. If you are not sure, go to "manage object", select your firewall object, then on the "interface" tab, check the "anti-spoof" rule. Make them "none" for testing purpose. (I might be wrong with thses description. I am away from my management station.)

If everything works, then you find the root cause of your mystry. The next step is to setup a correct anti-spoof rule. I normally create a group objects which contain the subnet itself, and possible other subnets that might show up at the source field of you packet (for example, you have a router connect to this subnet too), and MOST important, the NATTED address(es) that you have. I always forgot the NATTED address(es). Then I assign each of these group objects to the corresponding internal interfaces and set the external interface as "others".

Hope this helps,

eddyc

From: "Satana" <[email protected]> To: "Chris Arnold" <[email protected]>, "'Brockhoven, Werner '" <[email protected]>, <[email protected]> Subject: [FW1] (Still having) NAT Problem Date: Wed, 3 Oct 2001 18:08:28 +0200

Hi everybody and thanx for all your answers.... I've checked my FW1 rules & Address Translations and...you got me! something was messed up. Anyway..... I forgot to say that I obviously did the ARPing (arp -s EXT_IP MAC_ADDR pub) and I added the route (route add EXT_IP INT_IP 1), but still it isn't working. I've got an error on FW1 logs regarding rule0 (?). I'm pretty out of any ideas... Thanx again for help and interest

Lorenzo
----- Original Message -----
From: "Chris Arnold" <[email protected]>
To: "'Brockhoven, Werner '" <[email protected]>; "''Satana' '"
<[email protected]>; <[email protected]>
Sent: Thursday, September 27, 2001 5:19 PM
Subject: RE: [FW1] NAT Problem
> > I would stay away from automatic NAT rules personally. Do it manually as > there used to be issues with automatic NAT rules and manually gives you a > finer level of control as well. > > Chris > > -----Original Message----- > From: Brockhoven, Werner > To: 'Satana'; [email protected] > Sent: 9/26/01 2:13 AM > Subject: RE: [FW1] NAT Problem > > Hello Lorenzo, > > So you are trying to configure static destination nat. > > It may be easier to let FW-1 configure the nat rule by configuring the > NAT tab in the workstation object which represents the internal machine. > Because you are using static destination nat you'll have to configure a > route on the firewall for the external ip adress and have it point to > the internal ip adress of the www server. In your firewall object > you'll have to configure antispoofing on the internal interface and add > the external ip adress of the www server. Finally you'll want to > publish the external ip adress on your gateway via arp so the external > router knows where to send the packets. > > Regards, > > Werner > > > > -----Original Message----- > From: Satana [mailto:[email protected]] > Sent: Tuesday, September 25, 2001 10:51 AM > To: [email protected] > Subject: [FW1] NAT Problem > > > Hi everybody > I've got tihs problem: I have to publish over www an internal machine > (which obviously has an internal IP adress) and I have to make FW1 nat > its ip to the external ip adress (that is already routed on the right > router & CDN). > I've made a rule within the "Adress Translation" which says as original > packet : > SOURCE : Internal IP > DESTINATION : Any > SERVICE : Any > as translated packet: > SOURCE : External IP > DESTINATION : Original > Service : Original > And it's obviously installed on FW1 cluster. > There's also a rule in security policy: > SOURCE : Any > DESTINATION : External IP > SERVICE : http > ACTION : Accept > What I have to do now ? To me it seems all fine, but it doesn't work. > Where I'm doing it wrong ? > Thanks in advance > > Lorenzo > > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== >
================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] stateful inspection?
Next by Date: Re: [FW1] Norton AntiVirus for Firewall
Previous by thread: Re: [FW1] (Still having) NAT Problem
Next by thread: RE: [FW1] (Still having) NAT Problem
Index(es):
- Date
- Thread