There are many problems with this situation
- First, I'm not convinced your first ping "works". sniff to see whether
the response source address
is the address of the FW not that of the server. brain-dead windows has its
own standard for
ping! You need to check this as even if ping works, TCP won't.
- I'm not sure whether you have static NAT rules installed on all FW
interfaces, for both the client and the server.
if not, then here is what you have:
client sends packet to FW, which relays to server, which replies directly
to client. but the reply should be dropped
by the client, since it has never sent a packet to the server's address!
note that the problem is that the server
packet didn't go through the FW and is thus not natted back.
- even if a first packet works, the FW IP stack should generate an ICMP
redirect to your client, since the packet
is relayed through the same interface it came in. the client should drop
this redirect, since it is for a destination
address that is not in its subnet. but you never know! sniff to see if that
happens.
anyway, this configuration is a hard one. that's reflection, not NAT!
cheers,
mouss
At 11:25 05/01/01 +0800, Roland Xinlei Wang wrote:
>We have installed a Checkpoint firewall at a client site. Now the client
>has an exchange server (e.g. 192.168.4.4) at its internal network. There
>is a static NAT rule to map it to an external address (e.g.
>202.109.107.96). Now the client wants to have its internal workstation
>(e.g. 192.168.5.100) to access the exchange server using its external
>address (202.109.107.96). When we ping the external address from the
>internal workstation, the first ping packet was returned without problem.
>However, there is no more ping packet returned after the first success
>ping packet. We have replicate the problem in our testing environment as well.
>
>Can someone help us to explain this behaviour of Checkpoint firewall?
>
>Thanks!
>
>Roland
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
