Brendan, You have to use a IP-Pool for your NAT'ed network (for example 10.61.17.0/27) which is not included in the IP-ranges from your FW interfaces!
Friendly regards, Jochen Waelkens -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Brendan Laws Sent: woensdag 17 december 2003 2:43 To: [EMAIL PROTECTED] Subject: [FW-1] SecurePlatform AI + IP Pool NAT Hi there, wondering if anyone has seen this. SecurePlatform AI trying to do IP Pool NAT. FireWall has 3 interfaces Eth0 = external = 203.4.5.6/28 Eth1 = internal = 192.168.2.254/24 Ethh2 = dmz = 10.61.15.1/27 IP Pool NAT network is 10.61.15.0/27 Now of the 10.61.15.0/27 network is a frame connection to say 10.61.16.0/24, the route to 10.61.16.0 network is access via a cisco router (unknown IOS) @ 10.61.15.14 which then routes down to the 10.61.16.0/24 network. Now if I SecuRemote in I am able to make connections to 192.168.2.0/24 and I can see the source being say my pool NAT address 10.61.15.4 or something - works like a dream. BUT if I attempt to make a connection through the vpn to say 10.61.16.8 (a machine running there) I can see the router @ 10.61.15.14 consistantly trying to arp for the IP Pool NAT address, and obviously it is unable to resolve the MAC. Now if I ssh into the SP box and attempt a connection from the firewall, it connects to 10.61.16.8 fine, I can tcpdump the dmz interface and see the router @ 10.61.15.14 arp for the firewalls physical IP of 10.61.15.1, it sees it fine and the packets go through fine. But the IP NAT pool, on the same interface does not. I have tried adding arp -s 10.61.15.2 etc etc with the MAC of the firewalls 10.61.15.1 interface, but that does not seem to help, the router is still arping for the pool address and can not find it. My only solution I can think of is A) add static arp entries into the cisco router for each pool address? B) this is somekind of bug in SecurePlatform? Anyone seen anything like this before. If anyone has any ideas, or has come across this kind of thing before I would love to know about it. Cheers, Brendan ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
