[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] NAT trouble
Hope someone can help here. We're having trouble with static NAT and getting a box to be public facing. I've set up a rule so that I can ping the box from my ISP dial-up connection and this is what I see in the log. On the inbound echo request I get this... Source Destination Action Xltd Srce Xltd Destination ISP IP Public Accept ISP IP Private ...which is OK and what I would expect. On the return traffic I get this... Source Destination Action Xltd Srce Xltd Destination Public ISP IP Deny Private ISP IP ...which is not what I expect. I know it is being dropped because my rulebase does not allow this traffic the other way around however it seems to be NATting the return traffic before applying it to the rulebase rather than after. If I change my rule pair from... 1. Source Destination Service Any Public ICMP 2. Source Destination Service Private Any ICMP to... 1. Source Destination Service Any Public ICMP 2. Source Destination Service Public Any ICMP then I get the ping replies so I know everything else is working OK. Apply rules is set to Inbound. I'm using 4.1 SP3 and looking in the Administration Guide (SecAdmin.pdf) on page 473 (Acrobat pg 501) the way I can get it to work (the 2nd rule pair) is correct behaviour ie all NAT for both the inbound and return packets is performed on the internal interface, the last thing for the inbound packet, the first thing for the return packet. Did Check Point change that for 4.1 as I thought NAT was always the last thing no matter which way the packet was heading? Confused! Ali ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|