Hi.. Dear all, thanks your contribution, but I check thru the the rulebase "Properties" in the Polcy Editor , but I found the setting of ICMP was set to checked and "Before Last" so, I include a snapshot of all the options in policy editor. Pls help me to take a look and tell me what is wrong Thank you very much Tong -----Original Message----- From: Loring Rose [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 25, 2000 5:47 AM To: 'Sim, CT (Chee Tong)' Subject: RE: [FW1] The problem that we have for long time, pls help-pictur e and expl aination attached "Rule 0" means the implied rulebase. This is set using the rulebase "Properties" in the Polcy Editor (click the "Properties" button on the toolbar or choose Policy...Properties from the menu bar). These rules are processed before any numbered rules. Look under the "Security Policy" tab and make sure "Accept ICMP" is checked (you normally want this set to "Before Last" so you can specify more detailed ICMP policies in the rulebase). Loring Rose MCSE, CCSA, CNA, A+ Network Engineer GreatDomains.com :> -----Original Message----- :> From: Sim, CT (Chee Tong) [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] :> Sent: Sunday, October 22, 2000 7:42 PM :> To: 'Didier Arenzana'; 'Rodney Lacroix'; :> '[EMAIL PROTECTED]' :> Subject: RE: [FW1] The problem that we have for long time, pls :> help-pictur e and expl aination attached :> :> :> Hi.. Thank you very much for your info, I appreciate that. :> :) However I want :> to check with u about the rule I had implemented, the rest, :> I followed your :> instruction. :> :> The rule as follow :> Source Des Service Action :> Rule 9: Any 55.55.55.200 Any Accept :> Rule 10: Any 10.10.10.68 Any Accept :> :> Is that correct? :> :> But when I ping 55.55.55.200 from my PC 55.55.55.100, it :> still show me the :> destination not reachable, then I check the log and found :> some thing funny :> as shown :> :> Int Origin Action Source Dest Protocol :> Rule XlateSrc :> XlateDst :> hme1 Fw Accept 55.55.55.100 55.55.55.200 ICMP :> 9 55.55.55.100 :> 10.168.3.68 :> hme2 Fw Reject 55.55.55.100 55.55.55.200 ICMP :> 0 55.55.55.100 :> 10.168.3.68 :> :> What is rule 0?? I never specify rule 0, all rules start :> from 1? Why it :> reject the something again in rule 0? :> :> Pls clarify me. :> Tong :> :> -----Original Message----- :> From: Didier Arenzana [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] :> Sent: Saturday, October 21, 2000 3:01 AM :> To: Sim, CT (Chee Tong); 'Rodney Lacroix'; :> '[EMAIL PROTECTED]' :> Subject: Re: [FW1] The problem that we have for long time, pls :> help-picture and expl aination attached :> :> :> :> Hi, :> :> 1) ARP. Your ARP entry is correct. :> :> 2) NAT Rules. :> You want your 10.10.10.68 Workstation to be seen as 55.55.55.200. :> The following will do (static): :> Src IP Dest IP Serv Xl Src Xl Dest :> Any 55.55.55.200 Any Orig 10.10.10.68 (s) :> The above means: if a packet arrives with any src ip, a dest ip of :> 55.55.55.200 to any service, xlate it to its orig src ip, and dest ip :> of 10.10.10.68. This rule will be used when any workstation tries to :> contact 55.55.55.200. :> :> Src IP Dest IP Serv Xl Src Xl Dest :> 10.10.10.68 Any Any 55.55.55.200(s) orig :> This rule will be used for the return packets. :> :> 3) Routing. :> Routing is done BEFORE NAT. So you should tell your OS that :> if a packet :> must be routed to 55.55.55.200, it must go through gateway :> 10.10.10.68. :> The following command will do: :> route add 55.55.55.200 10.10.10.68 1 (on Solaris... I'm a :> Unix admin. I :> use NT only for GUIs) :> :> With this configuration, it should work. :> :> PS: Please use ASCII art to write your diagram next time, it's quite :> time-consuming to have to open word or a .doc viewer to read your :> message. :> :> --- "Sim, CT (Chee Tong)" <[EMAIL PROTECTED]> a écrit : > :> Dear all, :> > :> > I need to access a WSS server on the DMZ zone using a fake :> address on :> > my :> > localnet. Full explaination and picture are shown in the :> attachment :> > below. :> > Picture is simple, pls take a look and help me. :> > :> > Thank you very much :> > Tong :> > :> :> :> ___________________________________________________________ :> Do You Yahoo!? -- Pour dialoguer en direct avec vos amis, :> Yahoo! Messenger : http://fr.messenger.yahoo.com <http://fr.messenger.yahoo.com> :> :> :> ============================================================= :> =============== :> ==== :> To unsubscribe from this mailing list, please see the :> instructions at :> http://www.checkpoint.com/services/mailing.html <http://www.checkpoint.com/services/mailing.html> :> ============================================================= :> =============== :> ==== :> :> :> ============================================================= :> ====De informatie opgenomen in dit bericht kan vertrouwelijk zijn en :> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht :> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en :> de afzender direct te informeren door het bericht te retourneren. :> ============================================================= :> ====The information contained in this message may be confidential :> and is intended to be exclusively for the addressee. Should you :> receive this message unintentionally, please do not use the contents :> herein and notify the sender immediately by return e-mail. :> :> :> ================================================================= :> ================================================================== De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. ================================================================== The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. This message was sent with an attachment which Rabobank International does not allow because the filetype is not considered to be business related or it contains "executable" code which could be destructive if run. Please note the attachment has now been deleted. Should the attachment contain business critical information then the sender should use an alternative file format to deliver the information. The original header content is included below The following files were deleted: accesslist.gif authentication.gif ldap.gif lognalertbmp.gif misc.gif securitypolicy.gif securityserver.gif services.gif synD.gif ==================================================================