RE: [FW1] FW1's NAT..

Joe Voisin Wed, 09 Aug 2000 11:14:46 -0700

I'm using static mode NAT.  I'm nating 2 static internal addresses based on
service type.

ANY     MAIL_SERVER             SMTP            ORIG    MAIL_INT(S)
ORIG
ANY     MAIL_SERVER             POP3            ORIG    MAIL_INT(S)
ORIG
ANY     MAIL_SERVER             PORT_1212       ORIG    WEB_INT(S)
HTTP

I had to change a route that pointed our live IP address directly at the
mail server.  I, instead, pointed it at an internal router (layer 3 switch
actually) and it is able to route the packets now. It all works GREAT. 
        old
        route add live_IP       mail_internal

        new
        route add live_IP       router_internal

I would also like to try and get this to work across to another subnet but
somehow I think that's a bit much to ask..  :)

Joe

> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 09, 2000 1:25 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: [FW1] FW1's NAT..
> 
> 
> 
> Correct-
> With hide mode NAT, there can be NO sessions/connections 
> initiated by the
> outside.
> 
> Thomas Poole
> 
> -----Original Message-----
> From: Barcus, Timothy [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 09, 2000 12:45 PM
> To: 'Joe Voisin'; FW1 List (E-mail)
> Subject: RE: [FW1] FW1's NAT..
> 
> 
> 
> Have you made the required ARp and/or routing table changes 
> on the firewall
> system to reflect your translated addresses??
> 
> Also, I don't believe you can point an outside hidden address 
> to multiple
> (different) inside addresses.  The routing for it just 
> doesn't seem to make
> sense..
> 
> -----Original Message-----
> From: Joe Voisin [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 09, 2000 11:35 AM
> To: FW1 List (E-mail)
> Subject: [FW1] FW1's NAT..
> Importance: High
> 
> 
> 
> I am trying to do NAT on a single IP address spliting up the services
> between machines in the DMZ... Pretty standard things really...
> 
> source        dest            service         source  dest    
>       service
> INT_NET       INT_NET ANY                     ORIG            
> ORIG          ORIG
>  (Don't translate if it's staying internal!)
> MAIL_INT      ANY             ANY                     
> MAIL_EXT      ORIG
> ORIG
>  (Mail Server going out has to have an address...)
> ANY           MAIL_EXT        SMTP                    ORIG
> MAIL_INT      ORIG
>  (Incoming mail has to get to the Mail Server.  SMTP Port)
> ANY           MAIL_EXT        POP3                    ORIG
> MAIL_INT      ORIG
>  (Incoming pop3 requests have to get to the mail server too!)
> ANY           MAIL_EXT        PORT_1212               ORIG
> WEB1_INT      ORIG
>  (why does this not work?)
> ANY           MAIL_EXT        PORT_2323               ORIG
> WEB2_INT      ORIG
>  (this one doesn't work either!!!)
> 
> When going through the logs, I see a connect on the right 
> port and it seems
> to be allowing the connection, but the web server never seems 
> to respond.
> 
> It currently works fine on SMTP and POP3.  Internet Exploder 
> is coming back
> with 'Cannot find Server or DNS Error'
> 
> If I add a test rule (the test works):
> ANY           MAIL_EXT        PORT_1212               ORIG
> MAIL_INT      TELNET
> 
> If I change the test to (this doesn't work!):
> ANY           MAIL_EXT        PORT_1212               ORIG
> TEST_SERVER   TELNET
> I don't ever get a response from the telnet to port 1212 on 
> the second test.
> I set myself up with an any any rule for this test and it 
> still doesn't
> work.  
> 
> My question is:  will I have to bounce the firewall to make 
> this work?  Will
> I have to purge the state tables or re-index the ruleset?  I 
> have found that
> there are so many anomalies with checkpoint.  I am also 
> looking at upgrading
> to SP2 this weekend.
> 
> I have also turned off spoofing protection and everything like that.. 
> ======================================================================
> Joseph Voisin, Systems Administrator, Engel Canada Inc. 
> www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436 
>  PGP Fingerprint: A20B 135D 0920 074F C7FE  D72D 88A7 2521 5138 DFC2 
> ======================================================================
> 
> 
> 
> 
> ==============================================================
> ==============
> ====
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==============
> ====
> 
> 
> ==============================================================
> ==============
> ====
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==============
> ====
> 
> 
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] FW1's NAT..

Reply via email to
