Some days Ago I wrote the this mail
Hello:
I've got the next problem:
I have installed my FW-1 as the following configuration: a
valid IP address for the external card of FW-1 (for example 10.0.0.1), and two
internal non valid addresses e.g. 192.168.10.254 for my localnet and
192.168.1.254 for my DMZ. In my localnet I have used hidden Nat and the
result is successfully, in my DMZ I've put Static NAT using a real Internet
Address, also I have put a static route in my FW-1 server as route add -p
10.0.0.25 192.168.1.1 then, if I delete all security rules of FW-1 I can go out
using my firewalled machine throw the FW-1, and using a sniffer I can see
like the packets are translated but if I try access to my firewalled machine
using its real internet address my FW-1 ignores the packets.
Resuming, my outgoing connections are OK, but the
incoming connections are lost. The problem is not on the security
rules because I've put: all all all accept. Also I have put a file called
local.apr with the ip of my firewalled machine and my FW-1 external address and
the mac address of my external firewall card in the %%systemroot\fw1\4.1\state\
and it seems not work. I'm using FW-1 4.1 SP3 over Win2000 Server.
Thanks for all
Best Regards Javier
And now I've got the solution.
Only must put fwparp.exe fwparp static_ip
external_fw-1_ip for doing it. Next there is a little resumes (thanks Dave
Grabowski) that explain what I did for a correct work.
How to configure Static NAT on Windows 2000
Fact: FireWall-1 4.1 SP2 Fact: Windows 2000 Fact: Static
NAT Fact: fwparp.exe Fact: ARP Fact: Routing and Remote Access Fact:
IP Forwarding
Fix: Please follow these set of actions: 1) Disable the
"routing and Remote Access" (To access this service please go to: start ->
programs -> Administrative Tools -> Routing and Remote Access ->
right click the server and press disable) 2) Reboot the machine 3) Open
the registry from command line by running the command "regedit" 4) Go to
-> HKEY_LOCAL_MACHINE\SYSTEM\CurrentContralSet\Services\Tcpip\Parameters 5)
Change the value to "1" in the Dword key "IPEnableRouter" 6) Restart
the machine 7) Now you can run the 'fwparp.exe' utility as follow: 'fwparp
static_ip external_fw-1_ip' 8) Add route on the FireWall-1 routing table
as follow: 'route add -p static_ip invalid_ip' 9) Start the FireWall-1
machine (fwstart) 10) Install the policy (after verifying that you've
configure the static NAT on the host)
(Note that you have to run the 'fwparp.exe' after every
Reboot)
Regards: Javier Chordá
Navarro ------------------------------------- Consultoría &
Comunicaciones de Navarra
|