Re: [FW1] NATTing more than one network class

Mon, 12 Feb 2001 16:26:24 -0800 



Are you trying to hide the internal networks behind a different *single*
IP address or are you trying to hide the different internal networks
behind different *blocks* of addresses?

Assuming that you are mapping one network to one IP address you'll need to
do this:

- create a network object for each network:
        -on the general tab put the internal network address/mask
        -on the NAT tab put the external address (check the box!)
- configure routing on the firewall so that the external address
  routes to the gateway for the internal network (if not local).
        (solaris:
          route add <external IP> <internal router or gw>
        )
- publish the arp so that packets to the other external IPs get
  delivered to the firewall:
        (solaris:
          arp -s <external IP> <MAC address of the FW ext_if> pub
        )

Finally, create rules in the policy to allow traffic out from the internal
networks, use the xlate src & xlate dest columns in the logviewer to
troubleshoot.

hth,

--gill

On Mon, 12 Feb 2001, Velasquez Venegas Jaime Omar wrote:
> 
> We have this situation
> Trusted Networks:
> 172.16.12.0 (which has to be natted to a.b.c1.d)
> 172.16.13.0 (which has to be natted to a.b.c2.d)
> 172.16.14.0 (which has to be natted to a.b.c3.d)
> 
> FW-1 has one internal interface and one external interface:(valid ip
> address): a.b.c1.d
> Question: Due to I have to nat every internal network to a different valid
> ip address , what is the recommended approaching to this: static routes on
> router for every single valid ip address or an ip-alias for the single
> external interface on the firewall.
> 

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
--gill  | Tatu Ylonen, SSH 1.2.12 README:  "Beware that the most effective
        | way for someone to decrypt your data may be with a rubber hose."



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to