Simon,
Is there a reason your only running Service Pack 1? I would recommend updating to the most recent CP service pack (5). Don't forget to update your GUI client also. I remember some sort of NATing issue with between site to site VPN's that was fixed with SP3. Looking over your config, looks like everything you need is in place. -Created the Object with internal address -Static NAT to Public IP -Created Local.arp. (Now I know this may sound funny, but for troubleshooting you might want to add the licensed outside NIC's MAC address also. Where your outside address is say 200.200.200.20 and your Unix public address is 200.200.200.21. Just add both addresses into the local.arp file with the same MAC. Also, I've found that this takes a few minutes for the router to update it's tables after you stop and start.) -Created the persistant static route. Though it looks like you have staticly added the address. You might want to simply drop the MASK in the command: > route ADD -p 200.200.200.21 10.10.10.1 METRIC 1 You don't always nee the METRIC in there also. > route ADD -p 200.200.200.21 10.10.10.1 SImply telling NT, see this address, send it to this other address. Don't know if this helps! Good Luck! Kevin Message: 2 --- simon chan <[EMAIL PROTECTED]> wrote: > Hi fellow cp users, > > we have a nt 4.0 sp6a running checkpoint 2000 sp1. > We intend to host a unix server so that it can be > reached > from the internet. > > We've created a a workstation object e.g. Ux giving > it a > spare private ip > address e.g. a.b.c.d and in the NAT tab, we've > selected > "Static" and give it > a public valid IP e.g. w.x.y.z > > We've created a local.arp file : > > w.x.y.z <tab> 00-00-E2-33-24-CA > > We've also created a permanent route in the NT : > > route add -p w.x.y.z mask 255.255.255.255 a.b.c.d > > We've added the necessary rules : > Any Ux Any Accept > > We've done fwstop and fwstart. > > We were able to access the internet from the Unix > machine > but not from > internet to the unix machine. > > We saw from logviewer that it's rejected by rule 0. > Our Security Policy setting : > *Either Bund > * Accept UDP > * Enable decyption > * Accept VPN-1 fw connection > * Accept ICMP before last > * Accept outgoing packets from GW before last > * log implied rules. > > > What have we done wrong ? > > > tks. > > > rgds, > > Simon _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
