Tracy,
Have you verified what you see in the logs with an actual sniff trace?
I ran into a similar problem about a year ago (can't remember the exact
specifics) where the logs showed the first octet being a 100 (instead of
a 10), but doing a sniff trace showed that the traffic was truly being
NATted correctly. So it was more of a logging bug than anything else.
Also, I notice that you're only at SP1. I would definitely go to SP5 in
any case..... Hope this helps!
Jason
Maxi Tracy A Contr AFRL/SNOO wrote:
>
> All,
>
> I have a strange problem which is probably a config issue but I can't find
> it for the life of me... Thought maybe someone might give me some pointers
> on things to verify or, who knows, maybe there's a patch for it!
>
> Anyway, I am running Firewall-1 V4.0 Build 4031 on Solaris 2.6. I moved my
> v3.0b databases over (from a Solaris 2.5 box) and started a new. I am
> currently in test phase and here is the problem.
>
> The first octet of the IP address does not get translated correctly in
> certain instances. This happens (in the same circumstances) with either my
> hide NAT for my internal network or when doing a static NAT for an IP. It
> seems to happen when I do a PING from an internal system (ie: 10.1.2.3 NAT
> is y.y.y.y) to an external IP (x.x.x.x). The ping works fine but in the log
> file I have the following:
>
> interface source destination proto xlated
> source xlated destination
> ge0 (internal) 10.1.2.3 x.x.x.x icmp
> 6.y.y.y x.x.x.x
> hme0 (external) x.x.x.x 10.1.2.3 icmp
> 1.x.x.x y.y.y.y
>
> If my hide NAT is y.y.y.y is always makes the first octet a 6 yet if I run
> my browser or do an ftp to a site on the internet, the 'xlated source' IP
> address is correct.
>
> I have checked the settings of my NICs (ifconfig), my routing (netstat), my
> arp (arp), my hosts, and my Firewalled object...
>
> I have changed my network config a lot to fit the testing environment but I
> have gone over the settings with a fine tooth comb and all appears correct.
> Anybody have any ideas?
>
> Thanks for your help in advance. Please let me know what other data I can
> provide that would be helpful in troubleshooting this.
>
> Thanks,
>
> Tracy A. Maxi
> Firewall Administrator
> AFRL/SNOO Computer Operations
> Compaq Computers
> (937) 255-1953 x3536
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
