[FW1] NAT doesn't always work on first octet

Wed, 05 Jul 2000 11:35:22 -0700 


All,

I have a strange problem which is probably a config issue but I can't find
it for the life of me...  Thought maybe someone might give me some pointers
on things to verify or, who knows, maybe there's a patch for it!  

Anyway, I am running Firewall-1 V4.0 Build 4031 on Solaris 2.6.  I moved my
v3.0b databases over (from a Solaris 2.5 box) and started a new.  I am
currently in test phase and here is the problem.

The first octet of the IP address does not get translated correctly in
certain instances.  This happens (in the same circumstances) with either my
hide NAT for my internal network or when doing a static NAT for an IP.  It
seems to happen when I do a PING from an internal system (ie: 10.1.2.3 NAT
is y.y.y.y) to an external IP (x.x.x.x).  The ping works fine but in the log
file I have the following:

interface               source          destination     proto   xlated
source          xlated destination
ge0 (internal)          10.1.2.3                x.x.x.x         icmp
6.y.y.y                 x.x.x.x
hme0 (external)         x.x.x.x         10.1.2.3                icmp
1.x.x.x                 y.y.y.y

If my hide NAT is y.y.y.y is always makes the first octet a 6 yet if I run
my browser or do an ftp to a site on the internet, the 'xlated source' IP
address is correct.

I have checked the settings of my NICs (ifconfig), my routing (netstat), my
arp (arp), my hosts, and my Firewalled object...

I have changed my network config a lot to fit the testing environment but I
have gone over the settings with a fine tooth comb and all appears correct.
Anybody have any ideas?

Thanks for your help in advance.  Please let me know what other data I can
provide that would be helpful in troubleshooting this.

Thanks,

Tracy A. Maxi
Firewall Administrator
AFRL/SNOO Computer Operations
Compaq Computers
(937) 255-1953 x3536



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to