[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] NAT not working
Thanks for the ideas....
the first rule may seem a little redundant but really we will have 2
networks(clean and DMZ) and I do not want any translation between these two
as they will be behind the firewall - I just need the firewall to route
between them. I did do a tracert from a inside PC and it died at the
external interface of the firewall.
In looking back at 3.0 'fixes' I am going to try entering arp enteries for
the 'valid'(translated) addresses and associating them with the firewall's
external nic.
Hope this works....
Karen
-----Original Message-----
From: armando.leite@hsbcgroup.com [mailto:armando.leite@hsbcgroup.com]
Sent: Wednesday, October 13, 1999 5:37 AM
To: Karen Cochran
Subject: RE: [FW1] NAT not working
hmm...
All of your assumtions are correct. I do have the default route for
the
firewall being the external router. The internal interface and the
test pc
are on the same subnet. I have tried this NAT rule actually 2 ways(and
with
different parameters as described).
And the default route on the PC is the firewall? Even with the machines on
the same net you must
define this, the PC will know how to handle 10.x.x.x but not anything else,
I'm sure you're aware of this but it's always worthy mentioning it.
1) I chose to NAT (either the workstation itself or the network in
separate
tests)in the definition of the network object. This of couse creates
and
automatic rule whick states:
10.x.x.x 10.x.x.x any original original
10.x.x.x any any (Valid Hide or Static address)
2)I also created a workstation to represent the actual valid IP
address I
wanted to use for the workstation of network and manually created the
NAT
rule:
10.x.x.x 10.x.x.x any original original
10.x.x.x any any workstationhide(static or
hide) original
The 1st(in the second scenario) rule is a bit redundant. It's using
translation rules TO avoid translation and as the PC is on that subnet it
the traffic will not reach the firewall (will use the route to send data to
the interface and not the default route).
I did make sure on the second senerio that there was not a Automatic
NAT the
negated my rule.
I do agree that this should be a routing problem. I actually have set
this
same thing up on 2 different pc's. The only difference is the router
and ISP
I am attempting to access. The new one is a DSL. Unfortunately they
own the
router and I can not get access to it. I have changed my ip on the
firewall
to the ip I was using for NAT and can still access the internet with
out any
problems.
Easiest way is to either sniff the traffic on the dirty side and check if
you see anything coming from the PC (translated traffic), if you do then
the router is the one messing things up,
or traceroute from the internal PC and see if you get to the router.
And good luck...
-----Original Message-----
From: armando.leite@hsbcgroup.com [mailto:armando.leite@hsbcgroup.com]
Sent: Tuesday, October 12, 1999 12:42 PM
To: Karen Cochran
Subject: Re: [FW1] NAT not working
Karen,
Probably a routing problem. Firewall-1 does a routing decision prior to
doing the translationn(just to reming you). You should have the default
route for the firewall to go to the external router. I'm assuming that the
internal interface and the test PC are on the same subnet, so they should
be able to comunicate. Also, the pc should have as default route the
firewall. In the end your internal routing infrastructure should be able to
route anything that isn't 10.x.x.x to the firewall.
The NAT rule should be something like 10.x.x.x - any- any :
Firewal_external_ip(h) - any - any.
Regards,
Armando
PS: do not forward my email address do the list. If you want to forward
this just edit the msg. thanks. spam sucks.
Karen Cochran <Karen.Cochran@vistait.com> on 10/12/99 05:19:03 PM
To: "'fw-1-mailinglist@lists.us.checkpoint.com'"
<fw-1-mailinglist@lists.us.checkpoint.com>
cc: (bcc: Armando LEITE/GMIITS/HSBCMERIDIAN)
Subject: [FW1] NAT not working
Currently I have a CheckPoint Firewall-1 installed on a Windows NT 4
server.
NT Service Pack 4 has been applied as well as the quick fixes from
Microsoft. I started with ChekPoint's Service Pack 4 installed. Then I
uninstalled it and went back to ChekPoint's Service Pack 2. I have since
uninstalled Service Pack 2 so only the original application should be
installed. The firewall can surf the internet and ping/view the internal
network in any of these senerios. The internal network is configured with a
10.0.0.0 Mask 255.0.0.0 addressing. I want to NAT the internal users with a
single hide address. I can not seem to NAT out to the internet either with
static or hide for either a single system, the internal network or an
address range defined.
I have tested the router and it will allow for the valid ip I am trying to
access the internet. My only rule at this time is:
ANY ANY ANY Accept.
IP forwarding is enabled.
I have tried cutting down the size of the internal network to a single
class
C. This did not work.
At this time I have 2 NIC's - one to the router and one to a hub with a
single workstation off it. I have defined the firewall itself. I have tried
defining the network and also defining the workstation (2 different
senerios) and neither worked.
HELP! I am stumped!
===========================================================================
=====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
===========================================================================
=====
**********************************************************************
This message originated from the Internet. Its originator may, or may
not be who they claim to be, and the information contained herein
may, or may not be accurate.
**********************************************************************
************************************************************************
HSBC Bank plc, which is regulated in the UK by SFA, has issued the
information contained in this message (including any attached documents)
for its non-private customers only. It should not be reproduced and/or
distributed to any other person. It is not an invitation to buy or sell
securities. Opinions may change without notice and members of the
HSBC Group may have positions in, or trade in instruments mentioned in
this message. Each page attached hereto must also be read in conjunction
with any disclosure which forms part of it.
************************************************************************
**********************************************************************
This message originated from the Internet. Its originator may, or may
not be who they claim to be, and the information contained herein
may, or may not be accurate.
**********************************************************************
************************************************************************
HSBC Bank plc, which is regulated in the UK by SFA, has issued the
information contained in this message (including any attached documents)
for its non-private customers only. It should not be reproduced and/or
distributed to any other person. It is not an invitation to buy or sell
securities. Opinions may change without notice and members of the
HSBC Group may have positions in, or trade in instruments mentioned in
this message. Each page attached hereto must also be read in conjunction
with any disclosure which forms part of it.
************************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================