Hi Anders Ahhh... right..... yes, I can see that now.... so I need to create a group that contains the DMZ subnet + the ARP'd/NAT'd external IPs, and apply that to the DMZ interface (with LAN/WAN subnet group on inside NIC, and Others on External NIC). Its easy when you get it pointed out like that.. many thanks for your help
Steve > No, you include the NAT-addresses in the DMZ anti spoofing settings. > > As I understood it from a previous discussion on the list, NAT is the > last thing that happens before the packet is releast on to the DMZ > network. > Thus, the NAT-address must be valid for that interface to pass the > spoofing check. > > Cheers, > Anders :) =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
