I won't ask why you are letting DMZ machines access
nodes on the internal network. You must have thought
it through. I don't see you talking about the arp?
--- Kath Knight <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I'm using Checkpoint FW1 version 4.
>
> It is running on a Sun server running solaris 2.6
>
> The machine has three nactive ineterfaces:
> hme0: the internal network
> qfe2: the DMZ
> qfe3: the internet
>
> I have a couple of internal machines set up with a
> static NAT to the
> internet. This works perfectly. I did have to add
> static routes on the
> firewall for each NAT going from the translated
> address to the new address
> for this to work.
>
> My problem is that the machines on the DMZ can not
> connect to these machines
> on their NAT address (or obviously their internal
> one).
>
> The rule exists.
> The route exists.
> I can see the traffic on the qfe2 interface using
> tcpdump.
> I can see checkpoint accepting the packet in the
> log.
> But the packet never emerges from any of the
> firewalls interfaces.
>
> Here are log entries for the different attempts (one
> internet - works fine,
> one DMZ - doesn't work).
>
> "firewall" is the firewall
> "NATbox" is the NAT'd machine (only http packets
> are allowed).
> "DMZbox" is the machine on the DMZ tring to connect.
> "internet" is on the internet - it connects just
> fine.
>
> internet - works
> "11Jul2000" "16:00:18" "qfe2" "firewall" "log"
> "accept" "http"
> "internet" "NATbox (Valid Address)" "tcp" "5"
> "58398" "" "" ""
> "internet" "NATbox" "58398" "http" " len 60"
>
> DMZ - doesn't work
> "11Jul2000" "16:00:24" "qfe1" "firewall" "log"
> "accept" "http"
> "DMZbox" "NATbox (Valid Address)" "tcp" "3"
> "1254" "" "" "" "DMZbox"
> "NATbox (Valid Address)" "1254" "http" " len 60"
>
>
> Why is it that for the working translation from the
> net, the NAT computer
> appears as "NATbox", but for the non-working
> translation from the DMZ it
> appears as "NATbox (Valid Address)"?
>
> Does anyone have any ideas how I can fix this?
>
> Many thanks.
>
> kath knight | network engineer
> voice +61 2 9395 8600 | fax +61 2 9518 9836
> rare medium asia pacific | www.raremedium.com.au
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
=====
Chris
__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail � Free email you can access from anywhere!
http://mail.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
