[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Nat issues
Hey group, have a question on NATing that has got me stumped. We currently have a distributed FW 4.1 SP4 setup. Basic setup: internet---router--fw--router--management | -- host1 We have two sets of internal addressing. A 10.x.x.x network and a set of real IPs 207.x.x.x that are just not broadcast out, so they are basically used as private IPs as well. We NAT going out the firewall to a set of routable IP addresses. Implied rules show in and outgoing NAT rules correctly. Ok, currently we have a machine with a 207.x.x.x address running a SMTP server and HTTP server. To this point, people can access it fine, as well as it accessing the outside world fine. Therefore I figure that the rule set and NAT rules are correct ( any host1 http/SMTP Accept) & (host1 any any accept). Now, I moved the box to a 10.x.x.x address, changed and verified DNS, as well as checked the FW's resolution of it, changed the FW's "host1" object to the new address, and installed the policy. I can now go out from host1 to any site fine as I could before. However, traffic does not come in to this machine via the allowed ports. I've checked the FW's static routes, can reach the internal address from the FW fine, and I've snooped incoming and outgoing traffic to the firewall and it seem traffic to host1 never leaves the FW. I've triple checked the numbers, and even moved it back to a different 207.x.x.x number which brought it back to a working condition, so it seems that the de-NAT fails with this internal IP scheme. I tried a test box and the same results occur. The firewall is not directly connected to either the 10.x.x.x or 207.x.x.x network, so it has to use its routing table for both. I put the log attribute on the policy entry and do see accepts on the incoming request, but it never delivers the packet de-NAT'd to "host1". Ideas? ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|