Hope someone can help here.
We're having trouble with static NAT and getting a box to be public facing.
I've set up a rule so that I can ping the box from my ISP dial-up connection
and this is what I see in the log.
On the inbound echo request I get this...
Source Destination Action Xltd Srce Xltd Destination
ISP IP Public Accept ISP IP Private
...which is OK and what I would expect. On the return traffic I get this...
Source Destination Action Xltd Srce Xltd Destination
Public ISP IP Deny Private ISP IP
...which is not what I expect. I know it is being dropped because my
rulebase does not allow this traffic the other way around however it seems
to be NATting the return traffic before applying it to the rulebase rather
than after. If I change my rule pair from...
1.
Source Destination Service
Any Public ICMP
2.
Source Destination Service
Private Any ICMP
to...
1.
Source Destination Service
Any Public ICMP
2.
Source Destination Service
Public Any ICMP
then I get the ping replies so I know everything else is working OK. Apply
rules is set to Inbound.
I'm using 4.1 SP3 and looking in the Administration Guide (SecAdmin.pdf) on
page 473 (Acrobat pg 501) the way I can get it to work (the 2nd rule pair)
is correct behaviour ie all NAT for both the inbound and return packets is
performed on the internal interface, the last thing for the inbound packet,
the first thing for the return packet. Did Check Point change that for 4.1
as I thought NAT was always the last thing no matter which way the packet
was heading?
Confused!
Ali
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
