Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] [Total newbie alert] NAT without NAT ?!?

To: [email protected], [email protected]
Subject: Re: [FW1] [Total newbie alert] NAT without NAT ?!?
From: Joe Delsol <[email protected]>
Date: Fri, 07 Sep 2001 10:05:47 -0700
Organization: SiegeWorks
References: <3B974A78.14468.2E1B9E32@localhost>
Reply-to: [email protected]
Sender: [email protected]
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1

Well it sounds like your missing your "no NAT" rule... With internal to DMZ traffic, you will want to add a two no NAT rules to the top of your Address translation .. InternalNet, DMZnet, original, original DMZnet, internalNet, original, original

That should fix you up... and get your weekend started on the right foot!

Joe

[email protected] wrote:

I have a question (more of an understanding of functionality issue) about FW-1 ver4.1, in regards to something having come up when I tried to debug an assumed network problem. Here is the environment: "three-leg" FW-1 setup (one leg internal, one DMZ, and one Internet). The problem I was having forced me to run Ethereal on one machine (the "client") placed internally (let's say 172.16.1.1) and also run Ethereal on the "server" located in the DMZ (let's say x.y.z.w), which the client has problems communicating with. Here is the (to me - the FW-1 newbie) strange problem:

- the trace taken on the machine inside shows communication between: 172.16.1.1 port "n" <---> x.y.z.w port 80 - the trace taken on the server shows communication between: x.y.z.t port "m" <---> x.y.z.w port 80, where x.y.z.t is the DMZ interface address on the firewall, and port "m" is obviously other than "n" of the client!!! - FW-1 has NO rule to NAT the internal machines!!! - the access from the internal machine to DMZ is free!!!

And here is my (again - apologies for not knowing FW-1) opinion: FW-1 should have behaved like a router, with replacement (obviusly) only of the MAC address of the DMZ interface, when allowing the internal client out on the DMZ (which is another subnet), but NOT the replacement IP and port ?!?! It looks to me like a router-like behavior is actually now behaving like a NAT and PAT ?!? Is there anything I am missing here?!?
TIA,
Stef
================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================

================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] [Total newbie alert] NAT without NAT ?!?
  - From: [email protected]

Prev by Date: [FW1] [FW1}: Connect Control Module using SSL
Next by Date: [FW1] Allowing traceroute and ping replies
Previous by thread: [FW1] [Total newbie alert] NAT without NAT ?!?
Next by thread: RE: [FW1] Using load balancing object and address translation
Index(es):
- Date
- Thread