Is it me, or does CheckPoint's "FWXT_DST_STATIC"
NAT suck really hard?
I have spent 6 hours reading postings to the
CheckPoint newsgroups and reading various engineers solutions to making static
NAT work. I have read the entire CheckPoint Firewall-1 book by Goncalves and
Brown, the manaul that accompanied the software, CheckPoint's secure
knowledgebase, phoneboy's site, and some Star War's dude's site... and I still
can not make a simple static mapping from a public external IP address to an
internal private one. Hmmm....
Steps I've taken...
1) chose a second, unused and provisioned IP from
our block of Internet Ips to use for the static mapping (209.x.x.103)
2) I did not bind this IP to an interface (per
the majority of the dazed and confused)
2) configured an internal and external network
object (several different configurations here... some people say use automatic
translation... some say do not use automatic translation but instead create
the rules manually)
3) added a permanent route for the external
address (route add -p 209.x.x.103 mask 255.255.255.255 192.168.0.2)
4) added MAC to IP translation in local.arp file
under $FWDIR/FW1/STATE (209.x.x.103
aa-bb-cc-dd-ee-ff)
5) verified the translation was in effect by
checking the results of the FW CTL ARP command... and just to clear up some
inconsistencies floating around the newsgroups... according to the output of
this checkpoint command *both* - and : work for the MAC address in the
local.arp file
6) stopped the firewall with the fwstop
command
7) started the firewall with the fwstart
command
9) Re-verified that CheckPoint's static NAT sucks
really hard.
At first I thought maybe I was missing something,
but later came to realize that I could never read all the postings about the
confusion on the setup of static NAT in the newsgroups... there's just too
many.
CheckPoint has really dropped the ball here. I
can't believe they have no documentation on their website except for a 1997
document by Joe DiPietro for FireWall-1 version 3.0. Hell, it took me 5
minutes to find the knowledgebase at CheckPoint. For such a basic feature, I
don't see where all the difficulty comes from. Where I have the problem is...
if it eludes this many people, why is there not a GUI wizard for setting up
static NAT? Do you really want me to believe that you can't front-end a couple
APIs with a VB app that will inject a static route and modify some cryptic
ASCII local.arp file just by asking you in plain english 1) the public IP
address 2) the private address you're hiding, and 3) the MAC address of the
external NIC? Come to think of it... I can do it with two questions as long as
it's not a load balanced environment.
Flustered and discombobulated...
-BackBoneBoy-