Huge Firewall Problem!

[Kimberlee Commarato]

Title: static nat

Hello Everyone! I hope that you are all having a wonderful, problem free firewall day! I am having a huge problem. You see, I have a client in NYC  (Large, WorldWide known banking firm) who is looking for firewall people. (Jr. and Sr. positions) Now my prolem is that No one has responded to this job and I am wondering why. The salaries are competitive, the benefits package is around 25k for the Sr., and the people who work there are GREAT! Now I have the exclusive on this account and it is because we are all close so I want to show them some great people. The requirements.....well have you worked in a Unix environment for over 3 years? Do you know any Cisco Pix? Do you live in the U.S and don't need sponsorship? Well then don't be bashful, send that resume. :) I love this company and placing people here is something I enjoy b/c they are so great! Like I said.....send your resume or call me at the number below.

 

EOE

 

MNLI- IT Staffing & Consulting Services

Kimberlee A. Commarato
Recruiter/Account Executive
300 E Corporate Ct.
South Plainfield, NJ 07080
Work: 888-657-6654 x3123
Fax: 908-753-7716
[EMAIL PROTECTED]

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Efrusy
Sent: Wednesday, February 07, 2001 10:41 AM
To: '[EMAIL PROTECTED]'
Subject: static nat

Hi all,
I am having a strange problem when attempting to run static NAT.  We have a Checkpoint FW1 ver. 4.1 running on an NT server (SP 6).  This is connected on the inside to a Cisco 2900 switch and on the outside to a router owned by the ISP (via a hub).  On the inside network we are hiding NAT addresses of 10.0.0.0/24 with the firewall address of xxx.xxx.xxx.3.  This works fine.  However we also have several servers which I would like to put inside the network temporarily until we can get DMZs set up for them.  These servers need to have static addresses as they need to be reached from the outside.

I have set up static routes to them on the firewall box (using the route add command) and these show up fine when I do a route print command.  I have also added a local.arp file to the /winnt/fw1/4.1/state folder using the syntax (translated_address  MAC_ADDRESS_OF_EXTERNAL_FIREWALL_INTERFACE.  I then started and restopped the service, and installed rules allowing communication between the relevant IP addresses.

The problem is that I am not able to connect, either from the internal computer to the outside, or from the outside to the internal computer.  I set up a sniffer between the ISP router and the firewall, and did a ping from outside the network to the internal computer, and the ARP packet was translated fine, and an ICMP packet was sent out, but this packet was not received by the internal computer (I had a sniffer set up there too).  When pinging from the outside, the packet was not sent by the external interface of the firewall.  Is there some sort of rule that needs to be added that I am missing?  I am at a loss.  Thanks in advance.

Michael Efrusy
[EMAIL PROTECTED]
646-674-2045