Thanks Jean-Paul, I will try fw monitor later this morning when I get the chance to work on those machines.
The deal is the source is not really in the same segment as the external interface, I guess I made a mistake explaining that, the destination server IS on the same range as the internal interface and the reason why source and destination NAT are required is because the internal network machines have their default gateway pointing somewhere else (this fw is not for Internet access but for access to another WAN in the organization), also because the far side (where the client resides), must see the server with a different IP than its real one (for a reason nobody has still explained to me). I did cprestart after modifying local.arp and in fact when I enter "fw ctl arp", I do see all the manual arp entries. Only two interface are active on this firewall so I don't see how it could be publishing arps on the wrong one. Do you have any extra ideas about this? I did activate antispoofing and left the default option to log it, although I don't see any antispoofing drops in the Tracker. Actually the only thing I see is an accept and the xlate colums (src and dst) show it did NAT the IPs correctly. Thanks again for writing back. Regards On 9/11/07, Jean-Paul Baillon <[EMAIL PROTECTED]> wrote: > > Firstly use fwmonitor instead of tcpdump - use the iIoO switches to see > what is exactly happening. > > Secondly why is there a need for source and destination NAT if the > external client is on the same network segment as the external > interface? > > You will probably find your firewall is not arping for the correct > address or it is on the wrong interface > > Also check your antispoofing > > After editing local.arp do a cprestart > > JP > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of Sergio > Alvarez > Sent: Wednesday, 12 September 2007 10:35 AM > To: [email protected] > Subject: [FW-1] Strange situation with traffic through fw > > Hello, > > I currently have a situation I just can{t find the solution for. > > This is an R65 SPLAT firewall module, due to a special situation, my > customer requires for a particular traffic originated from address A and > destines to address B, that arrives on the external interface of the fw, > to be translated to source IP C and destination IP D. > > Basically we have a manual NAT rule that NATs both source and > destination and this used to work with an old firewall they had. > > What I did was install the new fw module on a new machine, copy IPs, > routes, and local.arp file (required because of the manual NAT rules and > off course using the proper MAC addresses. Finally I created a new > firewall module object in the Dashboard and replaced the old fw object > with this one (because the hostname changed). > > When we attempt a connection that requires the manual NAT mentioned > above, the SV Tracker shows the connection as allowed but the client > never gets a successful connection (is SSH to an internal server). A > tcpdump on the internal Interface shows traffic in both directions, but > the same on the external interface I only see inbound traffic. This all > means the connection is initiated by the client, the server receives it > and replies but the firewall is not passing that reply back to the > external client. > > This is typical of a routing issue, where the firewall does not have the > required route to send packets back to the source of the initial > connection, but the external client resides in the same network segment > as the external interface, so there is no real need for a route. > > Does anybody have any ideas of what is going on here?? I spent around > 3-4 hours today struggling with this and will have to go back tomorrow > morning to try to figure it out. > > Any help will be greatly appreciated. > > Regards > > -- > Sergio Alvarez > (506)8301342 > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > > ##################################################################################### > Important: This electronic message and attachments (if any) are > confidential > and may be legally privileged. If you are not the intended recipient do > not > copy, disclose or use the contents in any way. Please let us know by > return > e-mail immediately and then destroy this message. > > ##################################################################################### > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
