[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] FW-1 with NAT
Thanks again Robert. One more question, which interface would I bound my license in? I have heard external to my internet (and for VPN) and internal for natting but which one?!?!? David. ----- Original Message ----- From: "Robert MacDonald" <[email protected]> To: <[email protected]>; <[email protected]> Sent: Wednesday, November 15, 2000 5:21 AM Subject: Re: [FW1] FW-1 with NAT David, A nice side benefit of FW1 is that newcomers can learn how some of these rules are build, by allowing the system to control them. If you view the implied rules or look at the Address Translation rules, you may see these. As you check/uncheck the policy properties, these 'auto-rules' will appear or disappear. The same goes for NATting. If you add NAT to an object, the system will create the rules for you. But since these are auto generated by the system, you cannot edit them directly. I prefer to build my own, because I have more granular control over the rule. In your case, let's say your firewall has two interfaces: Internal is 10.1.1.1/24 External is 216.232.38.65 After you have created an fw ws object, create a network object called local_net. The IP address is the IP net of your internal network. In this example it would be 10.1.1.0. The netmask would be 255.255.255.0. Now click on the NAT tab and check the box labeled "Add Automatic Address Translation Rules". Make the "Translation Method" hide and add the IP address of 216.232.38.65 to the "Hide IP Address" field. Now go to the Address Translation tab and see two new rules built just for you. Now try and duplicate these rules manually and you should see more of the gruesome details ;) Best of Luck! Robert >>> "David Luong" <[email protected]> 11/15/00 1:01:41 AM >>> >Hi Robert, > >Thanks for the insight. I'm pretty new to checkpoint so if you don't mind my >ignorance, how do you make a NAT original rule? > >David. > >----- Original Message ----- >From: "Robert MacDonald" <[email protected]> >To: <[email protected]>; <[email protected]>; ><[email protected]> >Sent: Tuesday, November 14, 2000 8:37 PM >Subject: RE: [FW1] FW-1 with NAT > > >> >> Yep, I'm in a duh'ish mode...I know, it's bad form to >> reply to one's own post, but ignore that last reply(he's >> a fool anyway ;) >> >> Create a group called local_net and do the hide nat >> with that. Or, create the rule manually in the address translation >> tab of the rulebase. You might want to make sure you have >> a nat rule from your local_net to your local_net that doesn't change >> anything(orig orig orig). >> >> Robert >> >> >>> "Robert MacDonald" <[email protected]> 11/14/00 9:59:32 PM >>> >> > >> >Andrew, >> > >> >I might be in one of those duh'ish modes, but why >> >don't you just use hide nat? You should have an object >> >defined as the fw with both the internal and external >> >IP's. Go to the address translation/nat tab and choose >> >hide mode(or you can define two rules yourself in the >> >NAT tab of the rulebase.) >> > >> >I don't see where the license comes into effect here. >> > >> >Robert >> > >> >- - >> >Robert P. MacDonald, Network Engineer >> >Team Lead, e-Business Infrastructure >> >G o r d o n F o o d S e r v i c e >> >Voice:email: [email protected] >> > >> >>>> "Luong, David" <[email protected]> 11/14/00 5:47:23 PM >>> >> >>Thanks for the response... >> >> >> >>All other users will be localized to my network and all will be using a >> >>private 10.x.x.x network while the external (public) interface on the NT >box >> >>will be 216.232.x.x. I have gained resposes from people where I have to >tie >> >>in my license to my internal interface, but what about my external ???? >> >> >> >>David. >> >> >> >>-----Original Message----- >> >>From: Andrew Bagrin [mailto:[email protected]] >> >>Sent: Tuesday, November 14, 2000 2:42 PM >> >>To: Luong, David; 'Firewall Mailing List' >> >>Subject: Re: [FW1] FW-1 with NAT >> >> >> >>How are the other users connected to you? to what network? with what IP >> >>address? >> >>Andrew Bagrin >> >>Secure-1 >> >>>> >>www.secure-1.com >> >>----- Original Message ----- >> >>From: Luong, David <[email protected]> >> >>To: 'Firewall Mailing List' <[email protected]> >> >>Sent: Tuesday, November 14, 2000 1:48 PM >> >>Subject: [FW1] FW-1 with NAT >> >> >> >>> Hi Folks, >> >>> >> >>> I have a scenario where I have a PC running NT4.0 SP6a, two NIC's with >> >>FW-1 >> >>> 4.1 installed on it. One of the NIC will be the external interface >> >>> (Internet) and the other will be internal to my private network. I >have >> >>4-5 >> >>> other PC's who wants to gain access to the Internet through this NT >box >> >>via >> >>> ADSL connection. My question is can I have FW-1 do NAT sitting on the >> >>> internal interface serving other PC's who wants to get on the net? If >so, >> >>> how can I configure it? ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|