[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] FW-1 NAT/PAT problems on SP3
Hello, I'm having some troubles with two Firewalls we have that need to use NAT and PAT at the same time. I had put ruleset for NAT like IPGroup -> pub_server -> udp_53 | Original -> priv_server -> udp_503 After compilation this actually works as it should, in the logs of the firewall I actually see translation going on but, if I run a snoop on the DMZ interface in some cases I see my some IP's that are in the IPGroup passing through the firewall to the pub_server on port 80 rather than going to priv_server on port 81 and of course the connections are lost after that. This happens at the same time that other IP's are getting translated!!! So we have like 10.10.1.1 going to the pub_server on port 53 and at same time, We have 10.10.1.2 going to priv_server on port 503!! Something is going really wrong here, my question is is there any change that the firewall-1 can only handle a limited number of translated sessions and passes the rest without doing any knid of translation? We have a firewall-1 sp3 runnig at the frontend and another one on the backend same version (don't ask me why) and to minimize this situation we had to set same rule on the backend so that if the translation doesn't happen on the frontend to try again on the backend... Now checking the logs again we really see in the backend traffic that was not translated before and that was being dropped because of that and now is being "retranslated". Still in some cases again the translation doesn't happen wich in this case gives us a big problem with loop traffic for a while because we have a route set to the pub_server we should send the traffic to an internal router in order to the translation work in the first place and now if the translation rule doesn't work, wich happens in some cases, we see the router giving the packet back to the firewall and so on and so on untill we loose it by TTL Any ideas guys? If you have any, could you please reply to [email protected]? I'd really appreciate some help on this, by the way do you know if this is happening with any SP or if only SP3 is doing this kind of "dirty work"? Should I upgrade to a recent SP and be sure that the problem get solved? Thanks in advance and I hope to have some answers relly fast!!PLEASE!! Bye, bye, CS _____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. --------------------------------------------------------------------- ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|