Vic
1. If you want your hosts behind the firewall to be accessible via the internet, you cannot use hide nat. There are three options for having your hosts accessible via the net: static nat, no NAT at all (which I don't think is what you want), or PAT.
2. Every host that you want accessible via the internet needs to have a publicly routeable ip address associated (ie statically nat'ed) with it - in your case a 12.x.x.x address makes the most sense - again this association is one to one.
3. The firewall will nat the 12.x address to the appropriate 15.x address and routing can take care of the rest. However, since the 15.x network is not directly connected to the firewall, the firewall needs to know how to get there, so a static route is needed on the firewall pointing the 15.x to the 10.x router between the 10.x and 15.x networks.
4. The default route on hosts on the 15.x network should be the 15.x router. That router then needs to know what to do with packets destined for the internet, so should therefore point to the firewall.
If I understand your situation correctly, the above should get you there.
Also, if anyone cares to correct the above, have at it.
todd
----- Original Message -----From: Vic GSent: Wednesday, October 30, 2002 3:42 PMTo: [EMAIL PROTECTED]Subject: Re: [FW-1] internal network/NAT (eventually VPN)More info:
1. FW NG SP1 is running on Win2k.
2. I added a route statement at FW to route all 15.x traffic to 10.x.x.x
router. Do I really need to do that? (when the NAT unwraps, does it unwrap
as 10.x.x.x or 15.x.x.x)?
3. I found that I can add a new "network" of 15.0.0.0 and NAT that to "hide"
behind real external IP address of (12.x.x.x). Is this on the right path to
getting my "very internal" hosts to be accessable via the 'net?
Currently my "internalnet" as defined in FQ-1 is only 10.x.x.x since that's
all that is there (my DMZ servers).
4. After all this, I set a client PC on the 15.x network, and added route
statements to send traffic destined to 10.x network to the 15.x router. The
default gateway on this PC is my FW, 10.10.10.1
This does NOT work. I can ping my DMZ hosts on the 10.x (so I know packets
are getting to the 10 side) but there is no log info on the FW when I ping
it, try to use nslookup, or browse the 'net from this PC.
Any ideas?
Vic
>
>arp your router on an External ip on the firewall (dont forget to route to
>it)
>accept with a rule the traffic you are interested for.
>
>Pete
>
>
>-----Original Message-----
>From: Vic G [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, October 30, 2002 10:56 AM
>To: [EMAIL PROTECTED]
>Subject: [FW-1] internal network/NAT (eventually VPN)
>
>
>I'm attempting to set this up, here is my config (be kind..)
>
>Very int IntDMZ FW External
>15.x.x.x Router 10.10.10.x 10-12 12.x.x.x
>
>
>There is a router between "very internal", (which also has other routers to
>more internal nets...)
>I need a client on the outside(internet) to be able to get to an very
>internal host station (eventually VPN to a similar setup on other side). I
>have on my INT DMZ some hosts (Static Nat'd to the external address) and
>that works OK. The Router is static NAT'd as a workstation, with NAT
>enabled. (one IP is 10.x.x.x, other is 15.x.x.x)I've tried HIDE and STATIC
>(not sure what it should be...)
>The Internet router has static route statments to force the external
>address
>to the FW. How does someone on the Internet address (what could be) many
>internal addresses on the inside networks?
>
>All the examples I see are only 1 level deep (ie the 10.x.x.x is
>hide/natted
>to the outside). I need to get 1 more level in.
>
>What am I missing here?
>Vic
>
>
>
>
>
>
>
>
>_________________________________________________________________
>Unlimited Internet access -- and 2 months free! Try MSN.
>http://resourcecenter.msn.com/access/plans/2monthsfree.asp
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
_________________________________________________________________
Unlimited Internet access for only $21.95/month. Try MSN!
http://resourcecenter.msn.com/access/plans/2monthsfree.asp
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com
