Absolutely,
Firewall requires that the NATing take place on one of the criteria. You cannot say
source to any, translate to source to site1. Firewall simply will not allow it. I
agree wholeheartedly with Dan H.
BTW, From what I've heard, your scenario was one of the reasons behind IP pooling.
just my $0.02
CT
Dan Hitchcock wrote:
> If you just need to get the SR clients any internal address (not necessarily
> the internal address of the firewall), you can use IP Pool NAT (new in 4.1)
> to NAT inbound SR clients. You'll need to reserve a block of internal
> addresses (just like a DHCP pool), create an address range object for the
> pool, and ARP those addresses to the inside of your firewall (local.arp if
> NT, published arp if *nix). You'll also need to enable IP Pool NAT in your
> policy properties (IP Pool NAT tab) and on your firewall object (NAT tab) -
> see pp. 247-250 of the 4.1 VPN OEM doc (VPN.pdf) for details.
>
> Hope that helps...
>
> Dan Hitchcock
> CCNA, MCSE
> Network Engineer
> Xylo, Inc. (formerly employeesavings.com)
> 425.456.3970
> The work/life solution for corporate thought leaders
>
> -----Original Message-----
> From: Murphy, Paul [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 08, 2000 9:14 AM
> To: 'Robert Rinnberger'; [EMAIL PROTECTED]
> Subject: RE: [FW1] SecuRemote and NAT to inside
>
>
> Are you sure you have the translated source set to Hide? Thats the error
> you get when you do a Any to Static translation.
>
> Paul.
>
>
> -----Original Message-----
> From: Robert Rinnberger [mailto:[EMAIL PROTECTED]]
> Sent: 08 November 2000 17:00
> To: [EMAIL PROTECTED]
> Subject: [FW1] SecuRemote and NAT to inside
>
> Hi,
>
> I have a running configuration with SecuRemote and VPN-1 V4.1. My problem
> is, I like to translate the outside IP address of the SecuRemote client to
> the inside IP address of the firewall.
>
> I tried to setup a NAT rule like this:
>
> original paket translated paket
> source destination service source destination service
> any mail any int_ip_fw1(H) =original =original
>
> There is an error when verifing the rule base:
> invalid <any> in source of address translation in rule 1. <any> is valid
> only if the
> matching translated colum is original.
>
> For a workaround I configured a network object with the source ip address of
> the SecuRemote
> client and replaced the object <any> with this network object.
>
> Is there a smarter way, to configure this case?
>
> Thanks,
> Robert
>
> ----------------------------------------------------------------------------
> -------------------------------------------
> This e-mail is intended only for the above addressee. It may contain
> privileged information. If you are not the addressee you must not copy,
> distribute, disclose or use any of the information in it. If you have
> received it in error please delete it and immediately notify the sender.
>
> evolvebank.com is a division of Lloyds TSB Bank plc.
> Lloyds TSB Bank plc, 71 Lombard Street, London EC3P 3BS. Registered in
> England, number 2065. Telephone No: 020 7626 1500
> Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street,
> Edinburgh EH2 4LH. Registered in Scotland, number 95237. Telephone
> No: 0131 225 4555
>
> Lloyds TSB Bank plc and Lloyds TSB Scotland plc are regulated by the
> Personal Investment Authority and represent only the Scottish Widows
> and Lloyds TSB Marketing Group for life assurance, pensions and
> investment business.
>
> Members of the UK Banking Ombudsman Scheme and signatories to the UK
> Banking Code.
> ----------------------------------------------------------------------------
> -------------------------------------------
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
