[FW-1] Réf. : [FW-1] AW: Re: [FW-1] AW: [FW-1] Static NAT problem

[Ivan Vassileff <ivan@FW1-NOSPAMCLUB-INTERNET.FR>]

Hello

In 4.1 the static dest nating is theoretically done outbound (when the
packet LEAVES the firewall).

This means you may not see your translated ip in your tcpdump as nat is
done after ip stack, routing and outbound filtering.

I remind you that NAT can be done inbound for NAT automatic rules only in
FP2 and can be done inbound for NAT automatic  AND manual rules in FP3.

In my opinion, you could perform these exercises:
- 1) add the translated ip as authorized network on the internal interface
of your fw object (or deactivate antispoofing as reinhardt mentionned)
- 2) add the route as mentionned by Reinhard
-3) DO NOT FORGET ARP RESOLUTION !! Publish your external address with arp
-s.
-4) Write rules with the external ip if you do not do auto nat.
-5) Redhat : ip masquerade should NOT be activated You have kernel 2.2. or
2.4. ?

I take this opportunity to wish you all a perfect 2003 year.

HTH

Ivan

--------------------------------------------
hi,

try to add the route as I wrote below and try again. another common-error
is ip-spoofing. try to disable all ip-spoofing settings and connect again.

cheers
reinhard

                 -----Ursprüngliche Nachricht-----
                 Von: ALMEIDA Antonio Jose [mailto:ajalmeida@NOVIS.PT]
                 Gesendet: Di 31.12.2002 13:00
                 An: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
                 Cc:
                 Betreff: Re: [FW-1] AW: [FW-1] Static NAT problem



                 I have a 4.1 running in redhat. I think that the routing
is not the problem
                 because the packets are sent to where they are supposed
to, but the
                 destination address doesn't change!

                 Antonio

                 -----Original Message-----
                 From: Reinhard Stich
[mailto:r.stich@INTERNET-SECURITY.AT]
                 Sent: terça-feira, 31 de Dezembro de 2002 11:01
                 To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
                 Subject: [FW-1] AW: [FW-1] Static NAT problem


                 hi,

                 do you have a nokia-box?

                 otherwise you have to add a route 192.168.2.7  ->
10.1.22.7  that the
                 packets are forwared to the internal interface.

                 otherwise the inbound packets won't work.

                 cheers
                 reinhard

                         -----Ursprüngliche Nachricht-----
                         Von: ALMEIDA Antonio Jose
[mailto:ajalmeida@NOVIS.PT]
                         Gesendet: Di 31.12.2002 10:41
                         An: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
                         Cc:
                         Betreff: [FW-1] Static NAT problem



                         I'm trying to NAT the 10.1.22.7 with the
192.168.2.7 address and i
                 did a
                         static NAT in the firewall (4.1). When i try to
access the
                 192.168.2.7 (this
                         machine it's not directly connected to the
firewall) it is correctly
                         translated by the firewall (that's what the logs
says) but on the
                 outside
                         interface i have the same destination address
(see the tcpdump
                 below)

x                        FIREWALL LOG:
                         20:03:06 accept fw1 >eth3 proto tcp src
10.0.18.252 dst 192.168.2..7
                 service
                         telnet s_port 49666 len 44 rule 175 xlatesrc
10.0.18.252 xlatedst
                 10.1.2.7
                         xlatesport 49666 xlatedport telnet

                         TCPDUMP IN OUTUP INTERFACE:
                         20:03:44.388822 IP 10.0.18.252.49666 >
192.168.2.7.23: S
                         366463681:366463681(0) win 4128 <mss 556>
                         20:03:44.388826 IP 10.0.18.252.49666 >
192.168.2.7.23: S
                         366463681:366463681(0) win 4128 <mss 556>

                         Can someone help me here?

                         Antonio

                         =================================================
                         To set vacation, Out Of Office, or away messages,
                         send an email to LISTSERV@lists.us.checkpoint.com
                         in the BODY of the email add:
                         set fw-1-mailinglist nomail
                         =================================================
                         To unsubscribe from this mailing list,
                         please see the instructions at
                         http://www.checkpoint.com/services/mailing.html
                         =================================================
                         If you have any questions on how to change your
                         subscription options, email
                         fw-1-owner@ts.checkpoint.com
                         =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================