Correct-
With hide mode NAT, there can be NO sessions/connections initiated by the
outside.
Thomas Poole
-----Original Message-----
From: Barcus, Timothy [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 12:45 PM
To: 'Joe Voisin'; FW1 List (E-mail)
Subject: RE: [FW1] FW1's NAT..
Have you made the required ARp and/or routing table changes on the firewall
system to reflect your translated addresses??
Also, I don't believe you can point an outside hidden address to multiple
(different) inside addresses. The routing for it just doesn't seem to make
sense..
-----Original Message-----
From: Joe Voisin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 11:35 AM
To: FW1 List (E-mail)
Subject: [FW1] FW1's NAT..
Importance: High
I am trying to do NAT on a single IP address spliting up the services
between machines in the DMZ... Pretty standard things really...
source dest service source dest service
INT_NET INT_NET ANY ORIG ORIG ORIG
(Don't translate if it's staying internal!)
MAIL_INT ANY ANY MAIL_EXT ORIG
ORIG
(Mail Server going out has to have an address...)
ANY MAIL_EXT SMTP ORIG
MAIL_INT ORIG
(Incoming mail has to get to the Mail Server. SMTP Port)
ANY MAIL_EXT POP3 ORIG
MAIL_INT ORIG
(Incoming pop3 requests have to get to the mail server too!)
ANY MAIL_EXT PORT_1212 ORIG
WEB1_INT ORIG
(why does this not work?)
ANY MAIL_EXT PORT_2323 ORIG
WEB2_INT ORIG
(this one doesn't work either!!!)
When going through the logs, I see a connect on the right port and it seems
to be allowing the connection, but the web server never seems to respond.
It currently works fine on SMTP and POP3. Internet Exploder is coming back
with 'Cannot find Server or DNS Error'
If I add a test rule (the test works):
ANY MAIL_EXT PORT_1212 ORIG
MAIL_INT TELNET
If I change the test to (this doesn't work!):
ANY MAIL_EXT PORT_1212 ORIG
TEST_SERVER TELNET
I don't ever get a response from the telnet to port 1212 on the second test.
I set myself up with an any any rule for this test and it still doesn't
work.
My question is: will I have to bounce the firewall to make this work? Will
I have to purge the state tables or re-index the ruleset? I have found that
there are so many anomalies with checkpoint. I am also looking at upgrading
to SP2 this weekend.
I have also turned off spoofing protection and everything like that..
======================================================================
Joseph Voisin, Systems Administrator, Engel Canada Inc.
www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436
PGP Fingerprint: A20B 135D 0920 074F C7FE D72D 88A7 2521 5138 DFC2
======================================================================
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
