Firstly use fwmonitor instead of tcpdump - use the iIoO switches to see what is exactly happening.
Secondly why is there a need for source and destination NAT if the external client is on the same network segment as the external interface? You will probably find your firewall is not arping for the correct address or it is on the wrong interface Also check your antispoofing After editing local.arp do a cprestart JP -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Alvarez Sent: Wednesday, 12 September 2007 10:35 AM To: [email protected] Subject: [FW-1] Strange situation with traffic through fw Hello, I currently have a situation I just can{t find the solution for. This is an R65 SPLAT firewall module, due to a special situation, my customer requires for a particular traffic originated from address A and destines to address B, that arrives on the external interface of the fw, to be translated to source IP C and destination IP D. Basically we have a manual NAT rule that NATs both source and destination and this used to work with an old firewall they had. What I did was install the new fw module on a new machine, copy IPs, routes, and local.arp file (required because of the manual NAT rules and off course using the proper MAC addresses. Finally I created a new firewall module object in the Dashboard and replaced the old fw object with this one (because the hostname changed). When we attempt a connection that requires the manual NAT mentioned above, the SV Tracker shows the connection as allowed but the client never gets a successful connection (is SSH to an internal server). A tcpdump on the internal Interface shows traffic in both directions, but the same on the external interface I only see inbound traffic. This all means the connection is initiated by the client, the server receives it and replies but the firewall is not passing that reply back to the external client. This is typical of a routing issue, where the firewall does not have the required route to send packets back to the source of the initial connection, but the external client resides in the same network segment as the external interface, so there is no real need for a route. Does anybody have any ideas of what is going on here?? I spent around 3-4 hours today struggling with this and will have to go back tomorrow morning to try to figure it out. Any help will be greatly appreciated. Regards -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ##################################################################################### Important: This electronic message and attachments (if any) are confidential and may be legally privileged. If you are not the intended recipient do not copy, disclose or use the contents in any way. Please let us know by return e-mail immediately and then destroy this message. ##################################################################################### ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
