[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] FW does NAT but should not
Also try putting a keep orginal rule at the top of your NAT rulebase Andrew Bagrin Secure-1www.secure-1.com ----- Original Message ----- From: Hans-Joachim Hoetger <[email protected]> To: <[email protected]> Sent: Tuesday, November 14, 2000 12:39 PM Subject: Re: [FW1] FW does NAT but should not > > On Tue, Nov 14, 2000 at 11:54:02AM -0500, Robert MacDonald wrote: > > > > Take a look at the Address Translation/NAT tab in the fw GUI. > > That should tell you what is being NATted. > > > > Hello > As i said, there is shurely nothing that enforces this NAT. > Meanwhile we found out a bit more: The problem seems to be > originated by GRE. We told the ciscos to use IP-encapsulated > (ip_p 4) for the tunnel instead of GRE and everythin works fine. > It seems to me, as if i have discovered a BUG in FW-1. :-( > > > > > > > >>> Hans-Joachim Hoetger <[email protected]> 11/14/00 11:34:46 AM >>> > > > > > >Hello > > >I'm sitting in front of a very strange problem. There are > > >two ciscos connected to my firewall. Lets say c1 and c2. > > >They are talking to each other over a GRE tunnel. (ip_p 47) > > >Everything works well, if c1 is sending to c2. The problem > > >is as follows: The packets from c2 to c1 are NATted. (they > > >hide behind the external IF of the firewall. There is > > >shurely no rule that enforces this. > > >Some tech. details: > > >FW-1 Build 41716 [VPN + DES + STRONG] running on Solaris 7 > > >defaultroute poits to qfe0 > > >c1 can be reached over qfe0 > > >c2 is connected to qfe1 > > > > > >If i snoop on qfe1, the (incoming) packets have the right > > >SRC and DST. If i snoop on qfe0 (outgoing), the packets have > > >the right DST, but SRC is set to the address of the firewall > > >Interface qfe0. > > > > > >What can i do about this? > > > > -- > Hans-Joachim Hoetger voice: +49-5241-80-88990 > mediaWays GmbH NMW-T1 (Technologie) > > "Gut ist auch des Emporkommen von Linux als Herausforderer > von Microsoft." Angela Merkel (Die Zeit, 4.Mai 2000) > > > ============================================================================ ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|