I've read many many pages in the Checkpoint VPN-q /
FW-1 Administration Guide about Static NAT as well as various websites and I
must say I am completely confused by the whole process. Mainly due to hearing
different people's accounts for how to set this up.
My setup is on NT and is as follows:
Firewall Machine - External 216...3 ,
Internal 10.10.10.1
The firewall machine is
intended to be the sole gateway to the outside world.
I have IP forwarding enabled, RIP Service running, and the
additional IP's bound to the external interface that I wish to be
translated.
The external interface has a gateway listed, the
internal does not.
In FW-1 I have configured a network object for my
Firewall as well as my 2 networks.
I have
configured static address translation rules and everything from the inside out
seems to work properly.
My rules are as follows:
Original
packet
||| Translated Packet
Source |
dest |
service ||| Source |
Dest |
Service
Intaddr
| any
| any |||
valid
| orig
| orig
Any
| valid
| any |||
original |
internal | orig
Hosts on my internal LAN can route out to the
outside world and show up as their translated IP.
The Rule sets for the firewall are wide open accepting anything, The IP
address spoofing checks on the firewalls interfaces are disabled.
However if I am on an external host and attempt to
SSH into a box I have configured for Static NAT the request reaches only the
gateway.
In the logs it looks as if it does get translated
back to the private address.
I have tried adding static routes ( route add
216.xxx.xxx.4 10.10.10.4 )
I
have also messed around with the local.arp file but with each of these I have
read various different accounts on the proper method.
If anyone can help me out with some clarification
on this issue or help me see the aspect I am overlooking it would be greatly
appreciated.
Thanks
-----------------------------------------------------------------------
Jonathan Edmunds
Systems Administrator
CreativePlanet