[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] NAT fails on adhoc basis - Anybody encountered this before ?
Same here. Have to add a NAT rule in addition to or instead of the one created automatically. Chris --- Juan Concepcion <[email protected]> wrote: > > There is a method to correct this. However, not > available to me at this > very moment. Will post it tomorrow. > > > Dan Hitchcock wrote: > > > > I have also seen this happen when using automatic > NAT rules - the > > firewall is NATting fine, then suddenly, with no > explanation, private > > addresses start leaking to the public network. > Nothing in the > > firewall logs, nothing in fwd.elg, the NAT xlate > state tables aren't > > full, fw ctl pstat looks fine, etc etc. > > > > The fix has been to create manual NAT rules in the > address translation > > rulebase rather than automatic NAT rules on the > objects themselves. > > > > BTW, Hey Check Point, what's up with this? I've > never found a > > satisfactory explanation anywhere for this, and > the problem persists > > right up through 4.1SP4 (have seen it as early as > 4.0SP1). > > > > Dan Hitchcock > > CCNP, CCSE, MCSE > > Security Analyst > > Breakwater Security Associates, Inc. > > "Safe Harbor for E-Business" > > dhitchcock (at) breakwatersecurity (dot) com > > http://www.breakwatersecurity.com > >work > > > > The information contained in this email message > may be privileged, > > confidential and protected from disclosure. If > you are not the > > intended recipient, any dissemination, > distribution or copying is > > strictly prohibited. If you think you have > received this email > > message in error, please email the sender at > > [email protected] > > > > -----Original Message----- > > From: [email protected] > [mailto:[email protected]] > > Sent: Tuesday, September 04, 2001 2:56 AM > > To: Siow Yun Patricia > > Cc: [email protected] > > Subject: Re: [FW1] NAT fails on adhoc basis - > Anybody encountered this > > > > before ? > > > > do you have any "halloc failed blah blah" in you > fwd.elg? > > > > maybe you run out of kernerl memory, you can > try to increase > > fwhmen > > on /etc/system as shown: > > > > set fw:fwhmem=0x900000 > > > > this number is calculated for my config, i > think there is an > > phoneboy > > article covering this issue. > > > > Raúl. > > > > Siow Yun Patricia > <[email protected]>@lists.us.checkpoint.com > > con > > fecha 03/09/2001 05:59:24 > > > > Enviado por: > [email protected] > > > > > > > > De Siow Yun Patricia > > <[email protected]> > > > > @lists.us.checkpoint.com > > --------+ > > > -----------------------------------------------------+ > > > > A > > --------+ > > > -----------------------------------------------------+ > > > > Copias > > > > a > > --------+ > > > -----------------------------------------------------+ > > > > CCI > > --------+ > > > -----------------------------------------------------+ > > Fecha 03/09/2001 > > 05:59 > > --------+ > > > -----------------------------------------------------+ > > Tema [FW1] NAT fails on > adhoc basis - > > Anybody > > encountered this > before > > ? > > --------+ > > > -----------------------------------------------------+ > > > > Hi all ! > > > > Have any administrators encouter this > problem before ? > > > > Setup : > > Checkpoint 4.1 sp4 on pair of Sun Ultra 10s > Solaris 7. > > Implements > > stonebeat > > fullcluster for HA and load balancing > solution. Implements VPN > > with > > use of > > SecuRemote. > > > > Problem : > > NAT fails without reason adhoc basis. > > Noticed that after pushing out the same > policy with minor > > changes to > > the > > firewall many times (during testing). NAT > fails to work even > > though > > it has > > previously worked before. What's odd is that > after creating a > > new > > rulebase > > and creating a set of rules and NAT exactly > the same as before. > > Pushed it > > out to the nodes again. NAT works. > > > > Are there any state files or config files to > remove and check > > without > > the > > need to re-create a new policy everytime ? > > > > Thanks in advance. > > > > Rgds, > > Patricia > > > > > > > ================================================================================ > > > > To unsubscribe from this mailing list, > please see the > > instructions at > > > http://www.checkpoint.com/services/mailing.html > > > > > ================================================================================ > > > > > ================================================================================ > > > > To unsubscribe from this mailing list, please > see the > > instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================================================ > > -- > Juan Concepcion > Network Security Engineer > CCSA CCSE > [email protected] > === message truncated === __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|