[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1-MAILINGLIST] [FW1] (Still having) NAT Problem (and anti-spoofing is ok)
Hi guys! Lots of you told me to check my anti-spoof settings. Well...that's ok (I even published other machines over Internet using the same way!) I really don't know what to do Thanx again for kind interest Lorenzo ----- Original Message ----- From: "Steven Wu" <[email protected]> To: "Satana" <[email protected]> Cc: <[email protected]> Sent: Thursday, October 04, 2001 10:27 PM Subject: Re: [FW1] (Still having) NAT Problem > It might be related to your fw object anti-spoofing configurations too. Please > check. > > Anyway, I would recommend trying tcpdump or snoop command to sniffer your fw > interface with the target web server and see what translation packet look like and > how the traffic routes. It might tell you the problems. > > Good luck ! > > Steven > > > Satana wrote: > > > Hi everybody and thanx for all your answers.... > > I've checked my FW1 rules & Address Translations and...you got me! something > > was messed up. > > Anyway..... I forgot to say that I obviously did the ARPing (arp -s EXT_IP > > MAC_ADDR pub) and I added the route (route add EXT_IP INT_IP 1), but still > > it isn't working. I've got an error on FW1 logs regarding rule0 (?). I'm > > pretty out of any ideas... > > Thanx again for help and interest > > > > Lorenzo > > > > ----- Original Message ----- > > From: "Chris Arnold" <[email protected]> > > To: "'Brockhoven, Werner '" <[email protected]>; "''Satana' '" > > <[email protected]>; <[email protected]> > > Sent: Thursday, September 27, 2001 5:19 PM > > Subject: RE: [FW1] NAT Problem > > > > > > > > I would stay away from automatic NAT rules personally. Do it manually as > > > there used to be issues with automatic NAT rules and manually gives you a > > > finer level of control as well. > > > > > > Chris > > > > > > -----Original Message----- > > > From: Brockhoven, Werner > > > To: 'Satana'; [email protected] > > > Sent: 9/26/01 2:13 AM > > > Subject: RE: [FW1] NAT Problem > > > > > > Hello Lorenzo, > > > > > > So you are trying to configure static destination nat. > > > > > > It may be easier to let FW-1 configure the nat rule by configuring the > > > NAT tab in the workstation object which represents the internal machine. > > > Because you are using static destination nat you'll have to configure a > > > route on the firewall for the external ip adress and have it point to > > > the internal ip adress of the www server. In your firewall object > > > you'll have to configure antispoofing on the internal interface and add > > > the external ip adress of the www server. Finally you'll want to > > > publish the external ip adress on your gateway via arp so the external > > > router knows where to send the packets. > > > > > > Regards, > > > > > > Werner > > > > > > > > > > > > -----Original Message----- > > > From: Satana [mailto:[email protected]] > > > Sent: Tuesday, September 25, 2001 10:51 AM > > > To: [email protected] > > > Subject: [FW1] NAT Problem > > > > > > > > > Hi everybody > > > I've got tihs problem: I have to publish over www an internal machine > > > (which obviously has an internal IP adress) and I have to make FW1 nat > > > its ip to the external ip adress (that is already routed on the right > > > router & CDN). > > > I've made a rule within the "Adress Translation" which says as original > > > packet : > > > SOURCE : Internal IP > > > DESTINATION : Any > > > SERVICE : Any > > > as translated packet: > > > SOURCE : External IP > > > DESTINATION : Original > > > Service : Original > > > And it's obviously installed on FW1 cluster. > > > There's also a rule in security policy: > > > SOURCE : Any > > > DESTINATION : External IP > > > SERVICE : http > > > ACTION : Accept > > > What I have to do now ? To me it seems all fine, but it doesn't work. > > > Where I'm doing it wrong ? > > > Thanks in advance > > > > > > Lorenzo > > > > > > > > > > > > > > ============================================================================ > > ==== > > > To unsubscribe from this mailing list, please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > > > ============================================================================ > > ==== > > > > > > > ============================================================================ ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ============================================================================ ==== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|