Same here. Have to add a NAT rule in addition to or
instead of the one created automatically.
Chris
--- Juan Concepcion <[EMAIL PROTECTED]>
wrote:
>
> There is a method to correct this. However, not
> available to me at this
> very moment. Will post it tomorrow.
>
> > Dan Hitchcock wrote:
> >
> > I have also seen this happen when using automatic
> NAT rules - the
> > firewall is NATting fine, then suddenly, with no
> explanation, private
> > addresses start leaking to the public network.
> Nothing in the
> > firewall logs, nothing in fwd.elg, the NAT xlate
> state tables aren't
> > full, fw ctl pstat looks fine, etc etc.
> >
> > The fix has been to create manual NAT rules in the
> address translation
> > rulebase rather than automatic NAT rules on the
> objects themselves.
> >
> > BTW, Hey Check Point, what's up with this? I've
> never found a
> > satisfactory explanation anywhere for this, and
> the problem persists
> > right up through 4.1SP4 (have seen it as early as
> 4.0SP1).
> >
> > Dan Hitchcock
> > CCNP, CCSE, MCSE
> > Security Analyst
> > Breakwater Security Associates, Inc.
> > "Safe Harbor for E-Business"
> > dhitchcock (at) breakwatersecurity (dot) com
> > http://www.breakwatersecurity.com
> > 206-770-0700 work
> >
> > The information contained in this email message
> may be privileged,
> > confidential and protected from disclosure. If
> you are not the
> > intended recipient, any dissemination,
> distribution or copying is
> > strictly prohibited. If you think you have
> received this email
> > message in error, please email the sender at
> > [EMAIL PROTECTED]
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, September 04, 2001 2:56 AM
> > To: Siow Yun Patricia
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: [FW1] NAT fails on adhoc basis -
> Anybody encountered this
> >
> > before ?
> >
> > do you have any "halloc failed blah blah" in you
> fwd.elg?
> >
> > maybe you run out of kernerl memory, you can
> try to increase
> > fwhmen
> > on /etc/system as shown:
> >
> > set fw:fwhmem=0x900000
> >
> > this number is calculated for my config, i
> think there is an
> > phoneboy
> > article covering this issue.
> >
> > Ra�l.
> >
> > Siow Yun Patricia
> <[EMAIL PROTECTED]>@lists.us.checkpoint.com
> > con
> > fecha 03/09/2001 05:59:24
> >
> > Enviado por:
> [EMAIL PROTECTED]
> >
> >
> >
> > De Siow Yun Patricia
> > <[EMAIL PROTECTED]>
> >
> > @lists.us.checkpoint.com
> > --------+
> >
>
-----------------------------------------------------+
> >
> > A
> > --------+
> >
>
-----------------------------------------------------+
> >
> > Copias
> >
> > a
> > --------+
> >
>
-----------------------------------------------------+
> >
> > CCI
> > --------+
> >
>
-----------------------------------------------------+
> > Fecha 03/09/2001
> > 05:59
> > --------+
> >
>
-----------------------------------------------------+
> > Tema [FW1] NAT fails on
> adhoc basis -
> > Anybody
> > encountered this
> before
> > ?
> > --------+
> >
>
-----------------------------------------------------+
> >
> > Hi all !
> >
> > Have any administrators encouter this
> problem before ?
> >
> > Setup :
> > Checkpoint 4.1 sp4 on pair of Sun Ultra 10s
> Solaris 7.
> > Implements
> > stonebeat
> > fullcluster for HA and load balancing
> solution. Implements VPN
> > with
> > use of
> > SecuRemote.
> >
> > Problem :
> > NAT fails without reason adhoc basis.
> > Noticed that after pushing out the same
> policy with minor
> > changes to
> > the
> > firewall many times (during testing). NAT
> fails to work even
> > though
> > it has
> > previously worked before. What's odd is that
> after creating a
> > new
> > rulebase
> > and creating a set of rules and NAT exactly
> the same as before.
> > Pushed it
> > out to the nodes again. NAT works.
> >
> > Are there any state files or config files to
> remove and check
> > without
> > the
> > need to re-create a new policy everytime ?
> >
> > Thanks in advance.
> >
> > Rgds,
> > Patricia
> >
> >
> >
>
================================================================================
> >
> > To unsubscribe from this mailing list,
> please see the
> > instructions at
> >
> http://www.checkpoint.com/services/mailing.html
> >
> >
>
================================================================================
> >
> >
>
================================================================================
> >
> > To unsubscribe from this mailing list, please
> see the
> > instructions at
> >
> http://www.checkpoint.com/services/mailing.html
> >
>
================================================================================
>
> --
> Juan Concepcion
> Network Security Engineer
> CCSA CCSE
> [EMAIL PROTECTED]
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
