[FW-1] NAT Based on Service with only one legal IP

[Andrew Loh <andrew@FW1-NOSPAMHKMAIL.ORG>]

Dear all,

I need to setup a Checkpoint "NG" (NT) for a network but the external
interface has only 1 IP.  There are two servers behind the "NG", one
mail server and one file server.

A, External securemote users will access the internal file server,
provided
internal file server will not do any static NAT.
B, Internal mail server will receive SMTP mail at port 25 and host a
HTTP
service at port 80.

What I have tried are:

1, if I do static NAT on internal mail server object, then securemote
client
fails to connect anymore.  It meets requirement B, but A failed.
2, otherwise, if I don't do static NAT, securemote users can connect and
access the internal file server.  According to phoneboy,
http://www.phoneboy.com/faq/0428.html , I shall able to forward only
port 25
and 80 from "NG" to internal mail server.   I followed the faq to make
sure
"Perform destination translation on the client side" is checked and the
following manual added NAT rules were added before the automatically
added
hide NAT rules.

                    Original
Translated
Source  Destination  Service    Source  Destination  Service
Any         firewallNG     SMTP     Any        int_mailsrv   Original
Any         firewallNG     HTTP      Any       int_mailsrv   Original

It didn't work.  If I access port 25 from internet, the log viewer will
see
firewall has ACCEPTED the "source" internet IP to access to the
"destination" firewallNG at "service" SMTP.  The destination still show
firewallNG and it just can't reach the internal mail server SMTP port.

Any helps are welcome.

andrew.

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================