[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Firewall Forgetting to NAT?
Not only did we tried NATing it to a different address, we tried to temporarily remove NAT, and we even tried to delete and recreate the network object. No bueno. Dave Grabowski System Arts, Inc.[Easy to remember as 6-Hockey-Hero] [email protected] John_Delisle@c eridian.ca To: [email protected] cc: [email protected], [email protected] 05/15/2001 Subject: Re: [FW1] Firewall Forgetting to NAT? 05:00 PM Hi Dave, try something similar to what I've done, just change the static NAT address, push the policy, change it back to the correct address, push the policy. I've found that works best. Does this work for you also? John Delisle Corporate Technology Ceridian Canada Ltddgrabowski@syst emarts.com To: [email protected] cc: [email protected] 2001/05/15 Subject: Re: [FW1] Firewall Forgetting to NAT? 03:55 PM I don't have an answer for you, but last week we started experiencing the a very similar problem for a single host that is static NAT'ed (using automatic NAT) behind a cluster of Nokia IP330's running FW-1 4.1 SP3 on IPSO 3.3. I sent all info to Checkpoint and have an open ticket. Our "temporary" fix was to add an additional NAT rule. Works fine for now, but IMHO it doesn't "fix" the problem. Dave Grabowski System Arts, Inc.[Easy to remember as 6-Hockey-Hero] [email protected] |--------+----------------------------------------------> | | [email protected] | | | Sent by: | | | [email protected]| | | kpoint.com | | | | | | | | | 05/14/2001 10:03 AM | | | | |--------+----------------------------------------------> > -----------------------------------------------------------------------------------------------------------| | | | To: [email protected] | | cc: | | Subject: [FW1] Firewall Forgetting to NAT? | > -----------------------------------------------------------------------------------------------------------| Hi everyone, I have a Solaris 2.6 box running Checkpoint Version 4.1 Build 41814. I have multiple DMZ's, an external and an internal interface. I use Hide nats for internal hosts outbound to the net. For some really strange reason, the firewall seems to forget to NAT traffic now and then. It's like it decides to turn off NAT spontaeneously for a random object. Sometimes it's just a specific host, other times it's a network object. Normally in my logs I see traffic going out the firewall to internet destinations being natted; I see the original source and an xlated src. This is good, everything works fine. Then all of a sudden it stops natting that object. In the log I see the original address but no xlated src anymore. Just requests to outside addresses with invalid internal source addresses. To fix the problem, I edit the object and change the hide nat address to some other address, push the policy out, go back and change it to the correct old hide address, push the policy out and poof, all is well. What really bothers me is I'm not changing anything to fix it, it's like I just have to kick to wake it up.. :) Any ideas? John Delisle Corporate Technology Ceridian Canada Ltd********************************************************************** This e-mail and any files transmitted with it are considered confidential and are intended solely for the use of the individual or entity to whom they are addressed (intended). This communication is subject to agent/client privilege. If you are not the intended recipient (received in error) or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this is e-mail is strictly prohibited. If you have received this e-mail in error please notify the sender immediately. ********************************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|