[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FW-1 One External Interface- NAT to several public addresses
Jaime, See below for comments.. [snip] >fw1:external_interface: 200.10.50.1 >And has to NAT-Hide to: 200.40.20.1 and 200.40.21.1 >So far: >I-ve assigned these addresses to router: >200.10.50.2 >200.40.20.2 >200.40.21.2 >On fw-1 , i ve set a local.arp >200.10.50.1 >200.40.20.1 >200.40.21.1 When you're using local.arp, the addresses of the local.arp table must be within the same subnet as the external interface of the firewall. If not, you must define static routes on your router for these subnets/hosts pointing to the firewall. Note that you also need static routes on your firewall for these items. Also, there's no need to put your firewall's ip in local arp. The underlying os automaticly publishes arp for this ip address. >Is there anything else I should do? Like adding manually these ip addresses >as aliases to external interface or local.arp is enough? >This configuration seems to work for intervals and suddenly , fw-1 "loses" >its NAT rules on some hosts. >Am i missing something? The arp table is a table that maps the mac address to the ip address of a local subnet. At the network layer packets are sendt between mac addresses. A host also doesn't recognize arp entries that are published from other subnets. It can only send packets directly to a host which is located on the same subnet as itself. If the destination ip is not on the same subnet, it looks up the routing table and send the packet to the gateway which is specified there. When the firewall receives a packet it will first see if the packet is allowed, and if it is it's routed according to the routing table, and now (after the packet is routes) the address translation takes place. This is why you need a static route from the official ip address to the private ip address. Also, you usually don't use hide nat against internal servers. Hide nat is used when many ip's are translated to one (same as PAT in the cisco world). Use static NAT, and I'm sure you'll survive this.. ;-) Good luck! Lars ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|