Creating static nat does not allow a connection to that object. There would have to be a rule that allows that. A suggestion would be to look at your logs and attempt the connection to the static nat address. Look at the rule number that is allowing that connection to take place. I would assume that you will find an unexpected rule is doing an accept.
--- Dan Lynch <[EMAIL PROTECTED]> wrote: > Greetings group, > > When using automatic static NAT, how should rules be > configured to > prevent external users from connecting to the host's > native IP address? > > If the rule reads: > > Source Destination Service > Action > Net_192.168.1.0 Host_object Any > Allow > > And the Host_Object has an automatic static NAT > applied, external users > can access the host's NAT address *or* the native > IP. What's the > recommended way of configuring rules so this doesn't > happen? Do I have > to add an object for the host's native IP address, > and a rule for each > host with an automatic static NAT? > > Source Destination Service > Action > Net_192.168.1.0 Host_object_native_address Any > Deny > Net_192.168.1.0 Host_object Any > Allow > > Yuck. > > Worse yet is when we must allow access to the native > IP from internal > nets. Like so? > > Source Destination Service > Action > Net_10.1.1.0 Host_object_native_address Any > Allow > Any Host_object_native_address Any > Deny > Net_192.168.1.0 Host_object Any > Allow > > How do you deal with it? > > Dan Lynch, CISSP > Information Technology Analyst > County of Placer > Auburn, CA > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
