| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AW: [FW1] CheckPoint 4.1 SP3 on Windows 2000 and static NAT... No go...
Arno,
Maybe you know how to get rid of the NDISWANIP adpater interface when
using RRAS? When I use RRAS and use the ip network router wizard NG thinks
there is a NDISWANIP interface when I do a get interfaces in the topology
tab of the firewall object. If I delete it I then get a warning about
antispoofing when I apply a policy. Where did I go wrong?
Thanks
Bob
From: Arno Hechenberger <[email protected]>
To: "'Robert Thompson'" <[email protected]>, "FW-1 Mailing
List ([email protected])"
<[email protected]>
Subject: AW: [FW1] CheckPoint 4.1 SP3 on Windows 2000 and static NAT... No
go...
Date: Mon, 6 Aug 2001 09:32:06 +0200
Hello !
This is a problem with Win2k and RRAS. Look at Q282312 on TechNet
It will be fixed in Win2k SP3
Use Checkpoint NG and try the automatic translation rules - it will work
fine jus now - but the local.arp is ignored by Win2k
Arno
-----Ursprüngliche Nachricht-----
Von: [email protected]
[mailto:[email protected]] Im Auftrag von
Robert Thompson
Gesendet: Freitag, 3. August 2001 08:04
An: [email protected]
Betreff: [FW1] CheckPoint 4.1 SP3 on Windows 2000 and static NAT... No
go...
Is it me, or does CheckPoint's "FWXT_DST_STATIC" NAT suck really hard?
I have spent 6 hours reading postings to the CheckPoint newsgroups and
reading various engineers solutions to making static NAT work. I have read
the entire CheckPoint Firewall-1 book by Goncalves and Brown, the manaul
that accompanied the software, CheckPoint's secure knowledgebase,
phoneboy's
site, and some Star War's dude's site... and I still can not make a simple
static mapping from a public external IP address to an internal private
one.
Hmmm....
Steps I've taken...
1) chose a second, unused and provisioned IP from our block of Internet Ips
to use for the static mapping (209.x.x.103)
2) I did not bind this IP to an interface (per the majority of the dazed
and
confused)
2) configured an internal and external network object (several different
configurations here... some people say use automatic translation... some
say
do not use automatic translation but instead create the rules manually)
3) added a permanent route for the external address (route add -p
209.x.x.103 mask 255.255.255.255 192.168.0.2)
4) added MAC to IP translation in local.arp file under $FWDIR/FW1/STATE
(209.x.x.103 aa-bb-cc-dd-ee-ff)
5) verified the translation was in effect by checking the results of the FW
CTL ARP command... and just to clear up some inconsistencies floating
around
the newsgroups... according to the output of this checkpoint command *both*
- and : work for the MAC address in the local.arp file
6) stopped the firewall with the fwstop command
7) started the firewall with the fwstart command
9) Re-verified that CheckPoint's static NAT sucks really hard.
At first I thought maybe I was missing something, but later came to realize
that I could never read all the postings about the confusion on the setup
of
static NAT in the newsgroups... there's just too many.
CheckPoint has really dropped the ball here. I can't believe they have no
documentation on their website except for a 1997 document by Joe DiPietro
for FireWall-1 version 3.0. Hell, it took me 5 minutes to find the
knowledgebase at CheckPoint. For such a basic feature, I don't see where
all
the difficulty comes from. Where I have the problem is... if it eludes this
many people, why is there not a GUI wizard for setting up static NAT? Do
you
really want me to believe that you can't front-end a couple APIs with a VB
app that will inject a static route and modify some cryptic ASCII local.arp
file just by asking you in plain english 1) the public IP address 2) the
private address you're hiding, and 3) the MAC address of the external NIC?
Come to think of it... I can do it with two questions as long as it's not a
load balanced environment.
Flustered and discombobulated...
-BackBoneBoy-
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
