Hi,
This sounds like a NAT misconfiguration. Can you ping some machine in the
internet with this configuration? Can you telnet to some host in the internet?
Maybe you forgot the necessary static routes for NAT on the firewall:
For example:
192.168.2.1
Internal Network ------ FW-1 ------- Router -------- Internet.
192.168.1.0 192.168.1.1 192.168.2.2
Let�s suppose that your management station has the ip-address 192.168.1.10
which should be NATed to 195.1.1.10. In this case you have to create a new
route on the firewall:
route add -host 195.1.1.10 192.168.1.10 1
This route is necessary, to allow incoming packets.
Best regards
Heiko> Hello,
>
> I am trying to allow traceroutes, from a management station in my internal
> network, through Checkpoint's Firewall-1, out to the Internet. My network
> set up is as follows: (btw: the FW-1 is 3.0 VPN)
>
> Internal Network ------ FW-1 ------- Router -------- Internet.
>
> Note also that there is a static NAT translation between the internal and
> external networks. In terms of policies, I did the following:
>
> NAT:
> - Everything from the management station inside, going outside is translated
> into a valid IP.
> - Everything from outside, going to the translated valid IP, is translated
> back to the real mngmt station internal IP.
>
> Policy:
> - All traffic coming from or going to the management station is allowed
> through the firewall.
>
>
> But even with these open policies I wasn't able to traceroute from the
> mngmnt station... The traceroute gets "blind" as soon as it reaches the
> firewall. The curious thing is that I was able to traceroute from outside to
> the inside mngmnt station!
>
> By the way, my router - as far as I know - is not blocking anything. I also
> tried to change FW-1's ICMP processing options from first, to before last.
>
> Has anybody successfully allowed traceroute through FW-1? Any ideas and/or
> adivice on this problem?
>
> Thanks in advance,
> F�bio Rocha.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
Dr. Heiko Ploehn AM Professional Services GmbH
Tel.: +49 89 64916339 Geschwister-Scholl-Str. 4
Fax.: +49 89 6411636 82031 Gruenwald
email [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
