Robby, Sorry for my misunderstanding. I believe that you'll want to get a kernel debug of the xlate table to see what's going on.
fw ctl debug 0 fw ctl debug -buf 4096 fw ctl debug xlate fw ctl kdebug -f > xlate.out Send the traffic through and see what the xlate.out tells you. You can contact me off the list if your problem isn't obvious in the file. Jason On 8/30/06, Robby Cauwerts <[EMAIL PROTECTED]> wrote:
Hi, I've have the following setup: (notice that LAN A and LAN B have the same network range) HOST A 192.168.254.50 | LAN A 192.168.254.0/24 (overlapping NAT range 192.168.249.0/24) | | 192.168.254.1(eth1) ROUTER A 192.168.251.2 (eth2) | | 192.168.251.1(eth1) Check Point FW R60 192.168.252.2 (eth3) ----- to internet router 192.168.252.1 192.168.254.1(eth2) | | LAN B 192.168.254.1 | HOST B 192.168.254.2 (static NAT to 192.168.250.2) And the following NAT addresses: overlapping NAT range for LAN A: 192.168.249.0/24 Static nat for a server on LAN B: 192.168.254.2 <-> 192.168.250.2 Hosts on LAN A need to setup a connection to hosts on LAN B. But as you can see LAN A and LAN B have the same network ranges. Using GuiDBedit I've modified the following parameters for eth1 on the Check Point FW: - enable_overlapping_nat -> TRUE - overlap_nat_dst_ipaddr -> 192.168.254.0 - overlap_nat_netmask -> 255.255.255.0 - overlap_nat_source_ipaddr -> 192.168.249.0 + a route for 192.168.249.0 to 192.168.251.2 (eth2 ROUTER A) on the Check Point FW This is based on a more-or-less similar setup in the R60 Firewall guide (overlapping NAT section) So if host 192.168.254.50 on LAN A want to setup a connection to 192.168.250.2 (static nat to host 192.168.254.2 on LAN B) the following should happen on the Check Point FW: eth1 - before NAT src addr: 192.168.254.50 dst addr: 192.168.250.2 eth1 - after NAT src addr: 192.168.249.50 dst addr: 192.168.249.2 packet leaves eth2 to 192.168.249.2 But what I see is: eth1 - before NAT src addr: 192.168.254.50 dst addr: 192.168.250.2 eth1 - after NAT src addr: 192.168.249.50 dst addr: 192.168.240.2 packet leaves eth3 (default gw) to 192.168.249.2 So the modified overlapping NAT parameters for eth1 are working (see Xlated src addr) but not the static NAT and the routing. Has someone a similar -working- setup? With a cisco router this can be done : http://www.cisco.com/warp/public/556/3.html How about Check Point? Kind Regards. Robby ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
