What platform did you install on? What version of FW-1 are you at? Service
Pack? Does the problem persist if you unload the rulebase? I think that it
might be possible for the NAT rules to stay in place if you unload the
policy. This would allow you to test the NAT function without any rules
getting in the way. If not you can always try the least restrictive policy
you can do to help rule out any possible problems with the rulebase.
The question I'd be asking is why the customer wants to access an internal
mail server from its external NAT address from inside the network. I'm sure
there are reasons for doing it but if it doesn't have to be that way then
you might be able to save some sanity on this problem.
Also, have you seen anything in the FW logs about the ping packets getting
dropped? It could tell you what rule they are dropping on and possibly why.
You could also sniff the line with your favorite protocol analyzer to see
if you can see the packets hitting the external and internal intefaces
properly. This would go a long way towards letting you know where the ping
packets are disappearing (on the way out, on the way in, etc.).
opiesan
>
>We have installed a Checkpoint firewall at a client site. Now the client
>has an exchange server (e.g. 192.168.4.4) at its internal network. There is
>a static NAT rule to map it to an external address (e.g. 202.109.107.96).
>Now the client wants to have its internal workstation (e.g. 192.168.5.100)
>to access the exchange server using its external address (202.109.107.96).
>When we ping the external address from the internal workstation, the first
>ping packet was returned without problem. However, there is no more ping
>packet returned after the first success ping packet. We have replicate the
>problem in our testing environment as well.
>
>Can someone help us to explain this behaviour of Checkpoint firewall?
>
>Thanks!
>
>Roland
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
