I forgot to add, that Manual Translation rules are always applied or executed before Automatic Translation Rules.
-----Original Message----- From: Previtera, Sal Sent: Thursday, November 11, 2004 3:51 PM To: 'Mailing list for discussion of Firewall-1' Subject: RE: [FW-1] nat question Create a Manual NAT rule in the Address Translation tab where ORIGINAL PACKET....Source = 192.168.xx2.0. Destination 192.168.xx1.0 TRANSLATED PACKET Source=Original Destination=Original It will work, I am using such rule. Regards, Sal. -----Original Message----- From: Kim Longenbaugh [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] nat question We currently have the Nat configured on the internal interface, and it hides behind an IP address on the subnet the external interface is on. I.E., the external interface is xxx.xxx.111.1 and the hide NAT address is xxx.xxx.111.2. our dmz is a private subnet, 192.168.xx1.0. our internal subnet is 192.168.xx2.0. My problem occurs because when a packet is destined from our internal network to the dmz, it gets natted to xxx.xxx.111.2 >>> [EMAIL PROTECTED] 11/11/04 12:52PM >>> Perhaps I misunderstood his question the way he asked "which interface do you configure nat on?". You are correct, you configure it on the internetal network object, but you tell it to hide behind the external interface. Hal -----Original Message----- From: Jon Allingham [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] nat question I set my NAT on the internal _network_ objects. That gives me more flexibility as I have at least one network that has public IPs and does not get NATed. I'm not sure how/why you would set NAT on an external _network_ object as you don't usually have network objects for the external network; at least I don't have any reason to. I think you can set NAT globally on your firewall object to cover specific outbound interfaces, but I haven't tried that and it wouldn't work for me anyway unless I over-rode it somewhere else. -- Jon Allingham Director Leapstone Systems -----Original Message----- From: Hal Dorsman [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] nat question External. You want the internet thinking everything is coming from your firewall, so you hide behind it's external legal IP. Think of it from a purely routing standpoint: the gateway back into your private network is the external interface of your firewall. To get everything back to your private network it has to be sent to your firewall, so everything coming from it has to appear to be from that. Hal -----Original Message----- From: Kim Longenbaugh [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: [FW-1] nat question OK, at the risk of sounding stupid, which interface do you configure Hide NAT on so your internal network can browse the internet? Say you have an external interface, a dmz interface, and an internal interface. Say you want hosts on your internal network to get to the internet, and you want them to appear to the outside world as xxx.xxx.xxx.20 (assuming a public address) Do you configure Hide nat in the internal network object, or on the external network object? ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
