Wen, If you are statically natting a private address to a public address, then you must use an IP address that is NOT the external VIP. The external VIP address is good to use for HIDE nat not static NAT. You need to static nat to an address that is in the same subnet as your external VIP. Then proxy up that address using the VRRP MAC.
www --- Guangcheng Wen <[EMAIL PROTECTED]> wrote: > Hello, > Thanks a lot. > My platform is Solaris8 and FW-1 is NG FP2. > > wosterman1> The most likely cause is the arp > settings. You need to create a proxy or > wosterman1> published arp for the static NAT. > > Sorry,I am new to FW-1. Would you please tell me > howto do it? > > I have heard that there are problems with > wosterman1> the automatic arp creation in NG so be > careful. If you do it manually it is > wosterman1> platform dependent. > > In the Global Properties of Policy Editor, > Allow bi-directional NAT, Translate destination on > client side > and Automatic ARP configuration are checked in NAT > sub-manual. > is it not enough? > > Best regards, > > --Wen > > wosterman1> ----- Original Message ----- > wosterman1> From: "Guangcheng Wen" > <[EMAIL PROTECTED]> > wosterman1> > wosterman1> > Hello, > wosterman1> > Thanks so much for your information. > wosterman1> > Yes, just as your said, Cluster HA > even Cluster XL works under eval key. > wosterman1> > But I have a problem with NAT(static > model). I have made a Nodes object > wosterman1> > for a Web server on internal LAN. > wosterman1> > IP Address: 192.168.2.63 > wosterman1> > "Add Automatic Address Translation > rules" is checked. > wosterman1> > Translation method: static > wosterman1> > Network IP Address: 200.240.2.4(FW > Cluster's VIP) > wosterman1> > Install on Gateway: Cluster object > wosterman1> > When I access from 192.168.2.63 to a > Web server outside is OK, > wosterman1> > and the source IP is converted to > 200.168.2.63. But when I access > wosterman1> > the inetrnal Web server(192.168.2.63) > by http://200.240.2.4/, > wosterman1> > it failed. > wosterman1> > If the Network IP Address is set to > one of FW real IP, it wokes. > wosterman1> > Any idea? Thanks a lot. > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
