NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Incorrect NAT translation



Static Route Example WITHOUT local.arp
======================================

Real Internet IP Range: 194.219.37.0 255.255.255.0 Class C
Router IP Address: 194.219.37.1
Firewall IP Address: 194.219.37.2
Internal Private Network: 192.168.100.0 255.255.255.0 Class C
Internal WEB Server: 192.168.100.100
WEB Server Desired Real Internet IP Address: 194.219.37.200

On the Router
=============
ip route 194.219.37.200 255.255.255.255 194.219.37.2

On the Firewall
===============
route add -p 194.219.37.200 255.255.255.255 192.168.100.100

Define the WEB server object, static NAT 194.219.37.200

You are done... No local.arp no nothing, WORKS on Win2K
-------------------------------------------------------



-----Original Message-----
From: Patrick Lotti [mailto:[email protected]]
Sent: Friday, November 02, 2001 12:04 PM
To: [email protected]
Subject: Re: [FW-1] Incorrect NAT translation


Rory Stewart wrote:
>
> Has anyone heard of a problem with NAT translation resolving the http
address as the internal ip address rather than the external ip address?
>
> We are setting up an http accelerator behind our Nokia 440 firewall where
the box must be "seen" from the outside.
> I have configured address translation manually from the internal to
external and back.

WHY "internal to external"? This could confuse the firewall, it's not
necessary.
>From outside to inside is fine.

> Created both internal and external ip's as workstations. (Tried putting
external ip into NAT tab of internal but made no difference).
> Entered "any external any accept" and "internal any any accept" on the
security policy tab.
Fix it: "any external http accept" (sure), "internal any any drop long"
(strong guess).

> Finally, went on to voyager and created static route to internal ip
address range and put a proxy arp of the external ip address on the
> external firewall interface ( where they are both in the same ip range ).
> We know our accelerator sees our pings put does not reply. We have our
laptop gui infront of the firewall and behind our ext router, and
> from there we can enter our accelerator happily using internal ip address
but not external.

HOW?
internet(ip) ---(ip)ext-router(ip) --- (ips)firewall(ips)= ---
(ip)accelerator
                                     |
                                  laptop(ip)

Just give more details, network + ip addresses + nat rules + routes. Sounds
like a routing problem.

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.