Stefan,
FW1 will keep track of both Hide and Static modes
for you(look in the logs.)
You'll need the 'opposite' rule when the
need for a connection comes in from that direction.
Return packets are part of the orginal connection.
For real comfort, you should run some tests. It's
quite gratifying when it works and you see real
results(even when it doesn't work, you learn quite
a bit.)
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> Cisco Wave <[EMAIL PROTECTED]> 7/13/00 9:13:55 PM >>>
>
>Robert, All,
>
>Thank you very much.
>It is Mr, and you can call me Stefan ...
>
>The FW is keeping track of the NAT when it is Hide
>mode, but I am not sure when it is a static NAT.
>I did cionfigure the FW with Hide mode in my previous
>company, but in my new company everything is configure
>with Static.
>The guys did configure both ways here, and I wonder if
>it is correct. As I need to address this before the
>audit point, I will
>appreciate any help. I can test that on the live
>system.
>
>I tried to find in th edoc I have and on phone biy,
>but it ws not mentionned if FW was keeping track of
>addresses for the return packets.
>
>Anybody can help me ?
>
>Thanks,
>
>Xavier
>
>-----Original Message-----
>From: Robert MacDonald [SMTP:[EMAIL PROTECTED]]
>Sent: Wednesday, July 12, 2000 12:40 AM
>To: [EMAIL PROTECTED];
>[EMAIL PROTECTED]
>Subject: Re: [FW1] static NAT, is the outbound only
>enough ?
>
>Cisco (or is it Mr./Ms. Wave :),
>
>Just outbound NAT should be fine. The fw should
>keep track of it from there.
>
>Robert
>
>- -
>Robert P. MacDonald, Network Engineer
>e-Business Infrastructure
>G o r d o n F o o d S e r v i c e
>Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>
>>>> Cisco Wave <[EMAIL PROTECTED]> 7/5/00 3:52:34 AM
>>>>
>
>Dear All,
>
>Regarding static NAT, do we need to have both inbound
>and outboubnd NAT, or only one outbound NAT is enough
>and FW1 is mart enough to know the inbound NAT ?
>
>For example, which one is the most correct :
>
>Rule
>A.B.C.D -> W.X.Y.Z TCP Accept (outbound)
>(TCP established are accepted, so no need for the rule
>inbound)
>
>with only this NAT ?
>NAT
>A.B.C.D->W.X.Y.Z translated 1.2.3.4->6.7.8.9
>
>or with both NAT ?
>NAT
>A.B.C.D->W.X.Y.Z translated 1.2.3.4->6.7.8.9
>6.7.8.9->1.2.3.4 translated W.X.Y.Z->A.B.C.D
>
>Thank you,
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
