Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1-MAILINGLIST] [FW1] (Still having) NAT Problem (and anti-spoofing is ok)

To: [email protected]
Subject: Re: [FW-1-MAILINGLIST] [FW1] (Still having) NAT Problem (and anti-spoofing is ok)
From: Satana <[email protected]>
Date: Fri, 5 Oct 2001 15:15:54 +0200
Comments: To: Steven Wu <[email protected]>
Comments: cc: [email protected]
References: <[email protected]> <[email protected]> <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi guys!
Lots of you told me to check my anti-spoof settings.
Well...that's ok (I even published other machines over Internet using the
same way!)
I really don't know what to do
Thanx again for kind interest

Lorenzo


----- Original Message -----
From: "Steven Wu" <[email protected]>
To: "Satana" <[email protected]>
Cc: <[email protected]>
Sent: Thursday, October 04, 2001 10:27 PM
Subject: Re: [FW1] (Still having) NAT Problem


> It might be related to your fw object anti-spoofing configurations too.
Please
> check.
>
> Anyway, I would recommend trying tcpdump or snoop command to sniffer your
fw
> interface with the target web server and see what translation packet look
like and
> how the traffic routes. It might tell you the problems.
>
> Good luck !
>
> Steven
>
>
> Satana wrote:
>
> > Hi everybody and thanx for all your answers....
> > I've checked my FW1 rules & Address Translations and...you got me!
something
> > was messed up.
> > Anyway..... I forgot to say that I obviously did the ARPing (arp -s
EXT_IP
> > MAC_ADDR pub) and I added the route (route add EXT_IP INT_IP 1), but
still
> > it isn't working. I've got an error on FW1 logs regarding rule0 (?). I'm
> > pretty out of any ideas...
> > Thanx again for help and interest
> >
> > Lorenzo
> >
> > ----- Original Message -----
> > From: "Chris Arnold" <[email protected]>
> > To: "'Brockhoven, Werner '" <[email protected]>; "''Satana'
'"
> > <[email protected]>; <[email protected]>
> > Sent: Thursday, September 27, 2001 5:19 PM
> > Subject: RE: [FW1] NAT Problem
> >
> > >
> > > I would stay away from automatic NAT rules personally.  Do it manually
as
> > > there used to be issues with automatic NAT rules and manually gives
you a
> > > finer level of control as well.
> > >
> > > Chris
> > >
> > > -----Original Message-----
> > > From: Brockhoven, Werner
> > > To: 'Satana'; [email protected]
> > > Sent: 9/26/01 2:13 AM
> > > Subject: RE: [FW1] NAT Problem
> > >
> > > Hello Lorenzo,
> > >
> > > So you are trying to configure static destination nat.
> > >
> > > It may be easier to let FW-1 configure the nat rule by configuring the
> > > NAT tab in the workstation object which represents the internal
machine.
> > > Because you are using static destination nat you'll have to configure
a
> > > route on the firewall for the external ip adress and have it point to
> > > the internal ip adress of the www server.  In your firewall object
> > > you'll have to configure antispoofing on the internal interface and
add
> > > the external ip adress of the www server.  Finally you'll want to
> > > publish the external ip adress on your gateway via arp so the external
> > > router knows where to send the packets.
> > >
> > > Regards,
> > >
> > > Werner
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Satana [mailto:[email protected]]
> > > Sent: Tuesday, September 25, 2001 10:51 AM
> > > To: [email protected]
> > > Subject: [FW1] NAT Problem
> > >
> > >
> > > Hi everybody
> > > I've got tihs problem: I have to publish over www an internal machine
> > > (which obviously has an internal IP adress) and I have to make FW1 nat
> > > its ip to the external ip adress (that is already routed on the right
> > > router & CDN).
> > > I've made a rule within the "Adress Translation" which says as
original
> > > packet :
> > > SOURCE : Internal IP
> > > DESTINATION : Any
> > > SERVICE : Any
> > > as translated packet:
> > > SOURCE : External IP
> > > DESTINATION : Original
> > > Service : Original
> > > And it's obviously installed on FW1 cluster.
> > > There's also a rule in security policy:
> > > SOURCE : Any
> > > DESTINATION : External IP
> > > SERVICE : http
> > > ACTION : Accept
> > > What I have to do now ? To me it seems all fine, but it doesn't work.
> > > Where I'm doing it wrong ?
> > > Thanks in advance
> > >
> > > Lorenzo
> > >
> > >
> > >
> > >
> >
============================================================================
> > ====
> > >      To unsubscribe from this mailing list, please see the
instructions at
> > >                http://www.checkpoint.com/services/mailing.html
> > >
> >
============================================================================
> > ====
> > >
> >
> >
============================================================================
====
> >      To unsubscribe from this mailing list, please see the instructions
at
> >                http://www.checkpoint.com/services/mailing.html
> >
============================================================================
====
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] (Still having) NAT Problem
  - From: "Satana" <[email protected]>
- Re: [FW1] (Still having) NAT Problem
  - From: Steven Wu <[email protected]>

Prev by Date: [FW1] SR over Satellite?
Next by Date: [FW-1-MAILINGLIST] User Defined Service Properties on FW-1 4.0
Previous by thread: Re: [FW1] (Still having) NAT Problem
Next by thread: Re: [FW1] (Still having) NAT Problem
Index(es):
- Date
- Thread