|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Problem with Static NAT in a lab environment
Hi Fernando, Im running Checkpoint NG on NT4 SP6a (Test LAb environment) on both firewalls. Sorry fogot to mention os versions etc The strange thing is that it works in one direction and the logs confirm NAT is working. After checking both firewall rule bases and object config's everything looks correct. Still get the_flags 2 message_info_TCP packet out of state error. CPNG does automatic arp so that the gateway answers arp requests for NAT'ed address's. I will still check the local.arp file and go over config. thanks for your assistance Marc -----Original Message----- From: Fernando Hagelsieb C. [mailto:[email protected]] Sent: 20 December 2001 16:39 To: [email protected] Subject: Re: [FW-1] Problem with Static NAT in a lab environment Hi Marc: I don't Know what versions of FW-1 are ayou running and what OS versions you have on both firewalls. Menanwhile when I do an static NAT on FW-1 I do the following steps: Create objects in FW-1 and nat rules (please verify that NAT rules are not hide by another NAT rules) Create a route from server's public address to server's internal address on FW-1 machine. (I have tested on Winnt 4.0 and versions 4.1) Create an entry of local.arp file with the server's public address and the MAC address of the FW-1 External interface. (the local.arp file is on the FW1DIR$\state\ directory) NT: Create a text file named local.arp in the $FWDIR\state directory. Each line in the file should be of the form: <IP Address> <MAC Address> where <IP Address> is the gateway's external interface and <MAC Address> (in the format "xx-xx-xx-xx-xx") is that interface's MAC address. For example, 199.203.73.3 00-a0-c9-45-b5-78 I suggest you that reboot firewall machine after this change. but I'm not shure if this step is a MUST. another test I suggest you to do is to place a computer on the public network, so that you can really test where the problem is and test if really NAT is causing this symptom. (This computer does not have to be behind any firewall) Hope this help ----- Original Message ----- From: "Marc Kisner" <[email protected]> To: <[email protected]> Sent: Thursday, December 20, 2001 9:08 AM Subject: [FW-1] Problem with Static NAT in a lab environment > Hi all, > > I am testing static NAT between two firewalls. fw.madrid.cp and fw.rome.cp > > Set up is as follows > > Each firewall has a web server sitting behind it on a private network. I > have created all the correct objects on each firewall and everything works > as expected untill Static NAT rules are applied. > > In the workstation properties for each web server object, I click on NAT tab > and put in VIP address for the webserver. I also add the VIP address in the > NAT tab of partner city webserver. I have checked the corresponding > properties on each firewall and they are all correct. > > The problem is as follows > > When I connect to the VIP address for www.madrid.cp from fw.rome.cp via http > everything works fine and the logs confirm that NAT is configured correctly. > When connecting to www.rome.cp from fw.madrid.cp via http the connection > fails and is dropped by fw.rome.cp. The logs on fw.rome.cp have the > following; > > the_flags 2 message_info_TCP packet out of state > > I may be missing something obvious buit any assistance would be most > helpful. > > > Thanks > > > Marc > > > > > > > > > Marc Kisner > Harrier Group > > Switchboard: +44 (0)> Facsimile: +44 (0)> Mobile: +44 (0) 77740 431 598 > DDI +44 (0)> > Email: mailto:[email protected] > Web: http://www.harrierzeuros.co.uk > > Privileged/Confidential Information may be contained in this message. If > you are not the addressee indicated in this message (or responsible for > delivery of the message to such person), you may not copy or deliver this > message to anyone. In such case, you should destroy this message and kindly > notify the sender by reply email. Please advise immediately if you or your > employer do not consent to Internet email for messages of this kind. > Opinions, conclusions and other information in this message that do not > relate to the official business of my firm shall be understood as neither > given nor endorsed by it. > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
