The best way to get NAT working (particularly pre CP2000) is to arp an
address and create a hide NAT rule and a rule for the service. What do I
mean by 'arp'ing tan address...
Step 1. is to find an unused IP address on the same network as your
untrusted (external) interface. e.g. suppose you external interface is
203.244.12.218 /29. You may have a spare IP address at 203.244.12.219. It is
best to hide external addresses behind an external IP address, otherwise MAD
thinks the gateway is being spoofed (packets with a NAT'd internal source
address appear on the external internal interface...).
Step 2. is create a local.arp file in the state directory. This file tells
FW-1 to answer on behalf of arp requests for particular IP addresses using
an existing interface. It has a slightly different effect to multi-homing a
network card. You can list more than one IP address per card. This file
takes the format:
<IPAddress> <Mac Address>
e.g.
203.244.12.219 00-0a-12-35-56-8e
Step 3. is to create your NAT rule. e.g.
-----------------------------------------------------
| Src | Dest | Svc | Source | Dest | Svc |
-----------------------------------------------------
| ext-net | int-net | any | hide-addr | orig | orig |
-----------------------------------------------------
Step 4. is to create your firewall rule which allows the service.
This works with 4.0 and CP2000 - I've used it with both, and it is a lot
better than just hiding behind the firewalls interface address.
BTW, the firewall has to be stopped and re-started after creating the
local.arp file before it picks it up.
Cheers
Craig/
-----Original Message-----
From: James Otts [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 20, 2000 4:14 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [FW1] NAT inbound with SecuRemote
Did some "head pounding" myself... ;-)
If you are using 4.1, there is an option for 'ip pool nat for sr users'.
Works like a charm. No additional nat'ing rules are required.
Never could get it to work with 4.0... Anyone else???
James
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Sunday, June 18, 2000 9:35 PM
To: [EMAIL PROTECTED]
Subject: [FW1] NAT inbound with SecuRemote
I've been trying to get NAT working on an inbound connection with SecuRemote
users (mobile, no fixed IP addresses). I have been trying to get a service
for an application that requires the IP address to be pre-defined to work by
NAT'ing the inbound service for the SecuRemote connection, but have not had
any luck.
I've searched all the online doc sites and FAQ's, but can't find anything
that works..
Can anyone help me?? I'm almost ready to start pounding my head..
TIA..
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
============================================================================
===
=
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
===
=
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
