|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] CheckPoint 4.1 SP3 on Windows 2000 and static NAT... No go...
Title: CheckPoint 4.1 SP3 on Windows 2000 and static NAT... No go... Is it me, or does CheckPoint's "FWXT_DST_STATIC" NAT suck really hard? I have spent 6 hours reading postings to the CheckPoint newsgroups and reading various engineers solutions to making static NAT work. I have read the entire CheckPoint Firewall-1 book by Goncalves and Brown, the manaul that accompanied the software, CheckPoint's secure knowledgebase, phoneboy's site, and some Star War's dude's site... and I still can not make a simple static mapping from a public external IP address to an internal private one. Hmmm.... Steps I've taken... 1) chose a second, unused and provisioned IP from our block of Internet Ips to use for the static mapping (209.x.x.103) 2) I did not bind this IP to an interface (per the majority of the dazed and confused) 2) configured an internal and external network object (several different configurations here... some people say use automatic translation... some say do not use automatic translation but instead create the rules manually) 3) added a permanent route for the external address (route add -p 209.x.x.103 mask 255.255.255.255 192.168.0.2) 4) added MAC to IP translation in local.arp file under $FWDIR/FW1/STATE (209.x.x.103 aa-bb-cc-dd-ee-ff) 5) verified the translation was in effect by checking the results of the FW CTL ARP command... and just to clear up some inconsistencies floating around the newsgroups... according to the output of this checkpoint command *both* - and : work for the MAC address in the local.arp file 6) stopped the firewall with the fwstop command 7) started the firewall with the fwstart command 9) Re-verified that CheckPoint's static NAT sucks really hard. At first I thought maybe I was missing something, but later came to realize that I could never read all the postings about the confusion on the setup of static NAT in the newsgroups... there's just too many. CheckPoint has really dropped the ball here. I can't believe they have no documentation on their website except for a 1997 document by Joe DiPietro for FireWall-1 version 3.0. Hell, it took me 5 minutes to find the knowledgebase at CheckPoint. For such a basic feature, I don't see where all the difficulty comes from. Where I have the problem is... if it eludes this many people, why is there not a GUI wizard for setting up static NAT? Do you really want me to believe that you can't front-end a couple APIs with a VB app that will inject a static route and modify some cryptic ASCII local.arp file just by asking you in plain english 1) the public IP address 2) the private address you're hiding, and 3) the MAC address of the external NIC? Come to think of it... I can do it with two questions as long as it's not a load balanced environment. Flustered and discombobulated... -BackBoneBoy-
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
