Marc,
you should probably do this as an "automatic" type entry instead of a manual
method. that means define the object as it's untranslated address, and under
the NAT tab, select "static trans" and put in the public address. once the
rule is active, you shoudl be able to ping both the translated and
untranslated addresses.
HTH,
-keith
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Marc
> Lueck
> Sent: Thursday, June 01, 2000 7:37 AM
> To: [EMAIL PROTECTED]
> Subject: [FW1] Proxy ARP NAT on Solaris
>
>
>
>
>
> I have been entirely frustrated trying to get a second proxy ARP NAT rule
> working on a FW-1 v 4.0. I have created a proxy ARP entry
> (exactly the same as
> another, working rule, with different address of course),
> accepting a valid
> address. I have created a route (route add "validaddr"
> "routerinvalidaddr" 1),
> and have created a NAT rule as follows:
>
> All_IP -> "validaddr" Hide 0.0.0.0 -> Static "invalidaddr"
>
> All_IP is simply that, network range from 0.0.0.0 to
> 223.somethingorother. The
> Hide 0.0.0.0, is, for those who don't know, the
> as-far-as-I-can-tell-undocumented "Auto Translate" feature which hides the
> connection behind the outgoing interface IP address.
>
> Finally, there is a rule allowing Any to access both "validaddr" and
> "invalidaddr" via http.
>
> Connections to the "proxied" IP address result in resets sent back.
>
> There are two log entries. One accept, as per the rule, incoming
> on external
> interface, looks good. Then there is a reject, outbound on
> internal interface,
> rule 0, Info: len 44.
>
> I have another of these working, on a high port, without problem.
> I am guessing
> that the in.ahttpd daemon/listener is causing this ruckus,
> because everything
> else about these rules is identical.
>
> Please help a fellow downtrodden CP customer...
>
> Marc Lueck
> GSO Network Security
> Reuters
>
>
>
> -----------------------------------------------------------------
> Visit our Internet site at http://www.reuters.com
>
> Any views expressed in this message are those of the individual
> sender, except where the sender specifically states them to be
> the views of Reuters Ltd.
>
>
> ==================================================================
> ==============
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
