Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] FW-1 One External Interface- NAT to several public addresses

To: "Velasquez Venegas Jaime Omar" <[email protected]>
Subject: RE: [FW1] FW-1 One External Interface- NAT to several public addresses
From: "Lars Troen" <[email protected]>
Date: Fri, 11 May 2001 16:32:44 +0200
Cc: "FW1-MailingList \(E-mail\)" <[email protected]>
Importance: Normal
In-reply-to: <[email protected]>
Sender: [email protected]

Jaime,
See below for comments..

[snip]

>fw1:external_interface: 200.10.50.1
>And has to NAT-Hide to: 200.40.20.1 and 200.40.21.1
>So far:
>I-ve assigned these addresses to router:
>200.10.50.2
>200.40.20.2
>200.40.21.2

>On fw-1 , i ve set a local.arp
>200.10.50.1
>200.40.20.1
>200.40.21.1

When you're using local.arp, the addresses of the local.arp table must be
within the same subnet as the external interface of the firewall. If not,
you must define static routes on your router for these subnets/hosts
pointing to the firewall. Note that you also need static routes on your
firewall for these items. Also, there's no need to put your firewall's ip in
local arp. The underlying os automaticly publishes arp for this ip address.


>Is there anything else I should do? Like adding manually these ip addresses
>as aliases to external interface or local.arp is enough?
>This configuration seems to work for intervals and suddenly , fw-1 "loses"
>its NAT rules on some hosts.

>Am i missing something?

The arp table is a table that maps the mac address to the ip address of a
local subnet. At the network layer packets are sendt between mac addresses.
A host also doesn't recognize arp   entries that are published from other
subnets. It can only send packets directly to a host which is located on the
same subnet as itself. If the destination ip is not on the same subnet, it
looks up the routing table and send the packet to the gateway which is
specified there.

When the firewall receives a packet it will first see if the packet is
allowed, and if it is it's routed according to the routing table, and now
(after the packet is routes) the address translation takes place. This is
why you need a static route from the official ip address to the private ip
address. Also, you usually don't use hide nat against internal servers. Hide
nat is used when many ip's are translated to one (same as PAT in the cisco
world). Use static NAT, and I'm sure you'll survive this.. ;-)

Good luck!

Lars



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] FW-1 One External Interface- NAT to several public addr esses
  - From: Velasquez Venegas Jaime Omar <[email protected]>

Prev by Date: Re: [FW1] VPN on two external FW-1 interfaces
Next by Date: [FW1] No Available security Policies in Gui??
Previous by thread: RE: [FW1] FW-1 One External Interface- NAT to several public addr esses
Next by thread: [FW1] Securemote connection problems
Index(es):
- Date
- Thread