Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Nat issues

To: [email protected]
Subject: Re: [FW-1] Nat issues
From: Brian Noecker <[email protected]>
Date: Fri, 29 Mar 2002 10:23:24 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hey group, have a question on NATing that has got me stumped.

We currently have a distributed FW 4.1 SP4 setup.  Basic setup:

                         internet---router--fw--router--management
                                                              |
                                                                 -- host1

We have two sets of internal addressing.  A 10.x.x.x network and a set of
real IPs 207.x.x.x that are just not broadcast out, so they are basically
used as private IPs as well.  We NAT going out the firewall to a set of
routable IP addresses.  Implied rules show in and outgoing NAT rules
correctly.

Ok, currently we have a machine with a 207.x.x.x address running a SMTP
server and HTTP server.  To this point, people can access it fine, as well
as it accessing the outside world fine.  Therefore I figure that the rule
set and NAT rules are correct ( any     host1           http/SMTP
Accept) & (host1 any any accept).

Now, I moved the box to a 10.x.x.x address, changed and verified DNS, as
well as checked the FW's resolution of it, changed the FW's "host1" object
to the new address, and installed the policy.

I can now go out from host1 to any site fine as I could before.  However,
traffic does not come in to this machine via the allowed ports.  I've
checked the FW's static routes, can reach the internal address from the FW
fine, and I've snooped incoming and outgoing traffic to the firewall and it
seem traffic to host1 never leaves the FW.  I've triple checked the numbers,
and even moved it back to a different 207.x.x.x number which brought it back
to a working condition, so it seems that the de-NAT fails with this internal
IP scheme.  I tried a test box and the same results occur.  The firewall is
not directly connected to either the 10.x.x.x or 207.x.x.x network, so it
has to use its routing table for both.

I put the log attribute on the policy entry and do see accepts on the
incoming request, but it never delivers the packet de-NAT'd to "host1".

Ideas?

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] FW: NAVFW CVP Died...have disabled, can't clear messages in spool on firewall
Next by Date: Re: [FW-1] FW: NAVFW CVP Died...have disabled, can't clear messages in spool on firewall
Previous by thread: Re: [FW-1] FW: NAVFW CVP Died...have disabled, can't clear messages in spool on firewall
Next by thread: Re: [FW-1] FW: NAVFW CVP Died...try mdq command
Index(es):
- Date
- Thread