I had this same issue several months ago. After arguing that the FW wasn't
working and explaining several time to the support techs I got the
following answer:
Checkpoint NAT is not designed to map the data received back out the same
adapter it arrived on. If you have three adapters/subnets in the FW (a1,
a2, a3) then a1 may use the external NAT address of something on a2 or a3
BUT NOT a1.
I said bug, they said feature. Either way it is not getting changed AFAIK.
The solution was to use the internal address on the internal segment and
the external address on the "other" segments. Of course keeping it all
straight is sometimes an educational experience.
My guess is you have the same issue.
On Fri, 5 Jan 2001 11:25:06 +0800 Roland Xinlei Wang asked:
>
>We have installed a Checkpoint firewall at a client site. Now the client
has an exchange server (e.g. 192.168.4.4) at its internal network. There is
a static NAT rule to map it to an external address (e.g. 202.109.107.96).
Now the client wants to have its internal workstation (e.g. 192.168.5.100)
to access the exchange server using its external address (202.109.107.96).
When we ping the external address from the internal workstation, the first
ping packet was returned without problem. However, there is no more ping
packet returned after the first success ping packet. We have replicate the
problem in our testing environment as well.
>
>Can someone help us to explain this behaviour of Checkpoint firewall?
>
>Thanks!
>
>Roland
>
Dana Nowell Cornerstone Software Inc.
mailto:[EMAIL PROTECTED]
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
[EMAIL PROTECTED] and include the original mail with headers
if possible.
**********************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
