Ray, The Firewall is just a routing device with CP software on it. Therefore it is reasonable that you can access both xxx.xxx.123.123 and yyy.yyy.123.123 because the upstream device in front of the firewall (probably router) has either static or dynamic routes to go to the xxx.xxx.123.123 by pointing to the firewall.
The easiest thing to do is to remove the route on the upstream device so that it does not know how to get to xxx.xxx.123.123 and the only way to get to it is via yyy.yyy.123.123. Without removing this route, no amount of NAT can change this behavior. Cisco router behaves the same way. HTH cisco4ng --- Ray <[EMAIL PROTECTED]> wrote: > Yes, this has been a thoroughly confusing week. > Thanks for noticing. :-) > > I'm working with a company that uses public IPs on > their internal network > because it's fifteen years old. They have been > allowing direct connections > to each internal computer directly from the Internet > (no NAT). We now have > Hide NAT configured to at least obscure the internal > IP space from the > Internet. > > We're trying to set up Static NAT to do the same > with their internal > servers. The internal "public" IP is > > xxx.xxx.123.123 > > and the "Static" address set on the server node > object NAT tab is > > yyy.yyy.zzz.123 > > Interestingly, BOTH IP addresses are now accessible > from the Internet. > There's only one node object with that > xxx.xxx.123.123 internal IP address > and it's only specified in one rule. > > Is this normal behavior for R55? I would have > thought that adding the static > NAT entry would have blocked the internal IP address > from being accessible > from the Internet, but it didn't. > > Thanks, > > Ray > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
