Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] FW-1 with NAT

To: "Robert MacDonald" <[email protected]>, <[email protected]>
Subject: Re: [FW1] FW-1 with NAT
From: "David Luong" <[email protected]>
Date: Wed, 15 Nov 2000 07:36:33 -0800
References: <[email protected]>
Sender: [email protected]

Thanks again Robert. One more question, which interface would I bound my
license in? I have heard external to my internet (and for VPN) and internal
for natting but which one?!?!?

David.
----- Original Message -----
From: "Robert MacDonald" <[email protected]>
To: <[email protected]>; <[email protected]>
Sent: Wednesday, November 15, 2000 5:21 AM
Subject: Re: [FW1] FW-1 with NAT


David,

A nice side benefit of FW1 is that newcomers can
learn how some of these rules are build, by allowing
the system to control them. If you view the implied rules
or look at the Address Translation rules, you may see
these. As you check/uncheck the policy properties,
these 'auto-rules' will appear or disappear. The same
goes for NATting. If you add NAT to an object, the system
will create the rules for you.

But since these are auto generated by the system, you
cannot edit them directly. I prefer to build my own, because
I have more granular control over the rule.

In your case, let's say your firewall has two interfaces:

Internal is 10.1.1.1/24
External is 216.232.38.65

After you have created an fw ws object, create a network
object called local_net. The IP address is the IP net of your
internal network. In this example it would be 10.1.1.0. The
netmask would be 255.255.255.0.

Now click on the NAT tab and check the box labeled
"Add Automatic Address Translation Rules". Make the
"Translation Method" hide and add the IP address of
216.232.38.65 to the "Hide IP Address" field.

Now go to the Address Translation tab and see two new
rules built just for you.

Now try and duplicate these rules manually and you should
see more of the gruesome details ;)

Best of Luck!
Robert

>>> "David Luong" <[email protected]> 11/15/00 1:01:41 AM >>>
>Hi Robert,
>
>Thanks for the insight. I'm pretty new to checkpoint so if you don't mind
my
>ignorance, how do you make a NAT original rule?
>
>David.
>
>----- Original Message -----
>From: "Robert MacDonald" <[email protected]>
>To: <[email protected]>; <[email protected]>;
><[email protected]>
>Sent: Tuesday, November 14, 2000 8:37 PM
>Subject: RE: [FW1] FW-1 with NAT
>
>
>>
>> Yep, I'm in a duh'ish mode...I know, it's bad form to
>> reply to one's own post, but ignore that last reply(he's
>> a fool anyway ;)
>>
>> Create a group called local_net and do the hide nat
>> with that. Or, create the rule manually in the address translation
>> tab of the rulebase. You might want to make sure you have
>> a nat rule from your local_net to your local_net that doesn't change
>> anything(orig orig orig).
>>
>> Robert
>>
>> >>> "Robert MacDonald" <[email protected]> 11/14/00 9:59:32 PM >>>
>> >
>> >Andrew,
>> >
>> >I might be in one of those duh'ish modes, but why
>> >don't you just use hide nat? You should have an object
>> >defined as the fw with both the internal and external
>> >IP's. Go to the address translation/nat tab and choose
>> >hide mode(or you can define two rules yourself in the
>> >NAT tab of the rulebase.)
>> >
>> >I don't see where the license comes into effect here.
>> >
>> >Robert
>> >
>> >- -
>> >Robert P. MacDonald, Network Engineer
>> >Team Lead, e-Business Infrastructure
>> >G o r d o n   F o o d    S e r v i c e
>> >Voice:email: [email protected]
>> >
>> >>>> "Luong, David" <[email protected]> 11/14/00 5:47:23 PM >>>
>> >>Thanks for the response...
>> >>
>> >>All other users will be localized to my network and all will be using a
>> >>private 10.x.x.x network while the external (public) interface on the
NT
>box
>> >>will be 216.232.x.x. I have gained resposes from people where I have to
>tie
>> >>in my license to my internal interface, but what about my external ????
>> >>
>> >>David.
>> >>
>> >>-----Original Message-----
>> >>From: Andrew Bagrin [mailto:[email protected]]
>> >>Sent: Tuesday, November 14, 2000 2:42 PM
>> >>To: Luong, David; 'Firewall Mailing List'
>> >>Subject: Re: [FW1] FW-1 with NAT
>> >>
>> >>How are the other users connected to you? to what network? with what IP
>> >>address?
>> >>Andrew Bagrin
>> >>Secure-1
>> >>>> >>www.secure-1.com
>> >>----- Original Message -----
>> >>From: Luong, David <[email protected]>
>> >>To: 'Firewall Mailing List' <[email protected]>
>> >>Sent: Tuesday, November 14, 2000 1:48 PM
>> >>Subject: [FW1] FW-1 with NAT
>> >>
>> >>> Hi Folks,
>> >>>
>> >>> I have a scenario where I have a PC running NT4.0 SP6a, two NIC's
with
>> >>FW-1
>> >>> 4.1 installed on it. One of the NIC will be the external interface
>> >>> (Internet) and the other will be internal to my private network. I
>have
>> >>4-5
>> >>> other PC's who wants to gain access to the Internet through this NT
>box
>> >>via
>> >>> ADSL connection. My question is can I have FW-1 do NAT sitting on the
>> >>> internal interface serving other PC's who wants to get on the net? If
>so,
>> >>> how can I configure it?






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Firewall-1 cp2000 on soalris 8
Next by Date: RE: [FW1] Can not map NT file sharing of a machine in DMZ from Lo cal Network
Previous by thread: Re: [FW1] FW-1 with NAT
Next by thread: Re: [FW1] FW-1 with NAT
Index(es):
- Date
- Thread