I believe the problem with the first NAT rule is that the anti-spoofing check on the interior Interface of FW on NET A is seeing the Destination Address of 192.168.3.1 which has not been identified as a Valid Address. ( The Destination Address Translation to Alice's IP is the LAST thing done before sending to Alice). Build a Workstation object for Ed (192.168.3.1) then change the Valid Addresses on NET A's interface to be SPECIFIC > Build a group object that consists of NET A and the new ED workstation object.
Hope this helps --- Nico De Ranter <[EMAIL PROTECTED]> wrote: > Howdy, > > ok, this is a tricky one :-) > I have a configuration which -sort of- looks like > this: > > net A - 10.0.0.0 > | > | > ---------- > |firewall| ..... 'virtual' net D > 10.1.1.0 > | | > | |--- net E 192.168.3.0 > ---------- > | > | > net B - 192.168.1.0 > | > | > ---------- > | router | > ---------- > | > | > net C - 192.168.2.0 > > > - net A is a world-wide WAN which does not know > about net B > or net C. However we have a subnet D of net A which > we use > for NAT everything that needs access to net A. > - net C does not know about net A (router is not > under our control). > net C does know the way to net E > - The anti-spoofing settings say that valid > addresses for net A interface > are 10.x.x.x > > a machine on net C (say: Charlie, 192.168.2.1) needs > to contact a > server on net A (say: Alice, 10.2.2.2). Since net C > does not know about > net A, I took an address on net E (say: Ed, > 192.168.3.1) and one > on net D known by net A (say; Dany, 10.1.1.1) and > created > a NAT rule which says: > > src: Charlie, dst: Ed, prot: any > --- translate to --> > src: Dany (hide), dst: Alice (static), prot: > original > > Anybody still following? :-) > > Now if I make a connection from Charlie to Ed > (hoping to end > op on Alice), the connection is rejected on the > outgoing net A > interface based on rule 0, meaning anti-spoofing > rules. > > > I have another rule saying > > src: net B, dst: net A, prot: any > --- translate to --> > src: 10.1.1.2 (hide), dst: orig, prot: original > > that one works without problems. > > Any idea how I can fix the problem (except for > turning of anti-spoofing > rules which is not an option) > > thanks in advance, > > Nico > > > > > > > > --------------------------------------------------------- > "It has been said that there are only two > businesses that > refer to customers as users: illegal drug trade > and > the computer industry." > --------------------------------------------------------- > Nico De Ranter > Sony Service Center (SDCE/VPE-B) > Sint Stevens Woluwestraat 55 (Rue de > Woluwe-Saint-Etienne) > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > e-mail: [EMAIL PROTECTED] > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
