Hello
A guess : You are secureplatform fp2 ? if yes => normal to fp2 whatever
the platform.
This relates to the way static dest nat is implemented in versions < FP3 :
- 4.1-2000 : the original packet is translated outbound then inbound. You
have to manage manually arp, antispoofing and routing
- NG up to FP2 AND automatic nat AND tickmarck on perform "nat on client
side" THEN manual routing and antispoofing are not required anymore BUT if
you are on w2k or NT THEN you will need fwparp.exe to respond
appropriately / arp.
- NG up to FP2 WITHOUT automatic nat => You have to manage manually arp,
antispoofing and routing
- NG from Fp3 whatever the os : no more manual arp, antispoofing and
routing tasks provided you act on the conf screen policy/globalprop/nat,
perform nat on client side, both for auto and manual nat.
I believe the w2k problem with arp is solved. Anyone could confirm ?
HTH
Ivan
Ben Keepper <[EMAIL PROTECTED]>
Envoy� par : Mailing list for discussion of Firewall-1
<[EMAIL PROTECTED]>
12/11/2002 18:47
Veuillez r�pondre � Mailing list for discussion of Firewall-1
Pour : [EMAIL PROTECTED]
cc :
Objet : [FW-1] Now I am really intrigued- Nokia vs SecurPlatform
Playing around some more.
I can delete the static route on the SecurPlatform, and then configure a
NAT using automatic NAT on the object.
Object is private, static NAT it to a public address. Right.
Works fine, and no static route needed.
But if I try this manually in the Checkpoint address translation table,
no worky,worky.
Two rules, first looks like any -> public -> any service <translate> any
-> private -> any service
Second looks like private -> any -> any service <translate> public ->
any -> any
Now these NAT rules are identical to the automatically generated NAT
rules produced by directly modifying the object in question.
Why does one work and the other doesn't it?
Anybody? Checkpoint?
Now the manual NAT works fine if I add a static route on the
secureplatform, but that would stop me from doing port address
translation.
This all works fine on a Nokia, and I would think the kernel routing is
identical on Linux vs IPSO.
Anybody?
Ben
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
