You will need to create you NAT rules manually instead of using automatic
NAT rules on your network objects.
Then you can create a similar NAT ruleset:
Original packet Translated packet
Src Dest Svc Src Dest Svc
NetA NetB any orig orig orig
NetB NetA any orig orig orig
NetB any any hideB orig orig (hide NAT)
wsrvr any any wsrvrN orig orig (Static NAT)
ftp any any ftpN orig orig (Static NAT)
NetA = 10.230.230.0 network object
NetB = 10.230.231.0 network object
hideB = Workstation object in 207.46.10.0 address space for hide NAT
wsrvr = workstation object for www server in NetA
wsrvrN = workstation object in 207.46.10.0 address space for www server's
routeable address for static NAT
ftp = workstation object for ftp server in NetA
ftpN = workstation object in 207.46.10.0 address space for ftp server's
routable address for static NAT
I am assuming that NetA is going to be where you put WWW, Email and other
publically addressable servers (frequently called DMZ). If you plan to use
non-routeable addresses (RFC 1918) you will need to use static NAT to map
each server to a routeable IP address and add static host routes for these
routeable addresses pointing to the rfc 1918 addresses. Also if the
addresses you are using are in the 207.46.103.0 network you will also need
to configure the firewall to proxy ARP for the routeable addresses.
I hope this helps.
-PaulK
At 01:14 PM 5/26/2000, Franklin R. Jones wrote:
> +----+
> | fw |
> | >eth0 outbound to the Internet routeable
> | | addresses 207.46.103.x **
> | |
> | >eth1 perimeter net lets say addresses 10.230.230.x
> | |
> | >eth2 internal net lets say addresses 10.230.231.
> | |
> +----+
>
>** not my address space, but a well know one. :)
>
> anyway we set a nat hide translation for 10.230.230.x to hide
>behind 207.45.103.50.
>
> That works fine for the internet and traffic heading out eth0, but
>does not the same translation happen on traffic going from eth1 to
>eth2 (inbound)? (so I end up with 207.46.103.x traffic on the internal
>network). That is not what I intend. Any way around this? ideally what
>I would like to see is nat only happen when it traverses eth0. I had
>assumed (wrongly it appears) that if and object has a translation rule
>that it would only be applied if a rule says to. It appears that what
>really happens is that if the ip address of an object has a
>translation rule it happens regardless if the object is in the rule or
>not. (e.g object-a and object-b both point at the same ip address,
>object-b has the nat, object-a doesn't and is in the rulebase. the nat
>happens anyway when it matches the ip address of object-b)
*********************************************
Paul Keser
Network Security Engineer
[EMAIL PROTECTED]
tel: 415.351.4037
fax: 415.474.6017
ShopExpert.com
1375 Sutter Street, Suite 400
San Francisco, CA 94109
*********************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
