I'm assuming splat here. I do recall in earlier versions being able to route out the secondary ISP link by just adding NAT rules, not sure what changed, however your fwmonitor does show the correct position for NAT for static source, client side to my knowledge just works on static dest.. Don't know if this will work for you but if you can cut off ISP redundancy and setup iproute2 routes and rules you can get source routing to work, trying this with ISP redundancy enabled would not work for me, seems the ISP redundancy ignores any iproute2 stuff. There are some examples here for setting up source routing, http://www.cpug.org/forums/dynamic-routing/2306-specific-routing-per-ip.html of course not officially supported on splat.
-GS ________________________________ From: M. N. <[email protected]> To: [email protected] Sent: Mon, January 4, 2010 9:43:56 AM Subject: [FW-1] SNAT on Passive ISP Link in Active/Passive ISP Redundancy config no longer possible on R70.20? Guys, I noticed something strange ever since we went from R70 to R70.20 I use to be able to Statically NAT a single host on the secondary ISP Link (active/passive config) and have it go out on that link without any issues. Ever since we upgraded from R70 no HFA to R70.20, this is no longer possible. It appears the packet is routed FIRST then NATed from what I could see with FW monitor. Packets are therefore leaving on the primary ISP link but with an IP from the second ISP range. Return packets obviously never come back. This was NOT the case before and we had been running like that ever since R70 first came out... I know ISP Redundancy requires the Advanced Networking Blade to work and we do have it so this is quite strange. Anyone noticed this? ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
