Steve,
Yes we have a outbound NAT rule configured, it should not need it though as the device in the DMZ never initiates a connection out through the firewall. ________________________________ From: Steve Baker [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 24, 2007 10:42 AM To: Larson, Todd (LNG-DAY) Subject: Re: [FW-1] Troubling NAT Issue - NGX R62 This might be a somewhat silly question, but do you have a NAT rule that says 10.10.10.10 to any ->>> 1.1.1.1 to any. Otherwise the traffic might be hitting your default outbound NAT rule, hence why the firewall is seeing it as out of state. On 10/24/07, Larson, Todd (LNG-DAY) <[EMAIL PROTECTED]> wrote: All, I'm looking for insight to resolve what should be a simple issue with destination NAT on a very simple Check Point HA deployment on Nokia IP390's running IPSO 4.1 b22. The FW logs show the packet coming in being accepted, then 3 seconds later it shows a new connection from the IP of the DMZ host being dropped as TCP out of state. Background: - Customer has a device deployed in a DMZ subnet located off the firewall. - The firewall is the default gateway for the DMZ subnet. - Outside users need to access a host in the DMZ subnet from the internet. - FW's default route is the ISP gateway router. - Outbound NAT is working with no Problems - The DMZ Host can be reached by other hosts on the same subnet and responds normally - Nokia IPSO configured with New Mode Vrrp - Outside VIP is set to user defined MAC which is also the VRRP MAC for that subnet. - If we use the VRRP ip of the firewall it works, the VIP doesn't work o 1.1.1.4 (vrrp IP of firewall) < This works o 1.1.1.1 (VIP for DMZ Host) < This doesn't work - Spoofing is configured to permit the source IP of the DMZ subnet through the DMZ interface. Policy Any to 1.1.1.1 (Internet Real VRRP Address) https accept log Address Translation Any to 1.1.1.1 > Same to 10.10.10.10 What happens: Packet capture shows traffic accepts through firewall to host on DMZ Host on DMZ responds back with SYN-ACK, packet capture on outside interface shows SYN-ACK leaving interface. Client does not receive a SYN-ACK response - Switch sees VRRP MAC address - Set upstream IPS to L2 by-pass mode ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
