Hello, There is no Problem in NATting, I believe you are having problem in routing, you need to add route to your internal server to forward the packet to DMZ, if recieved from 10.10.11.0 network. ----- Original Message ----- From: "Laidlaw, Rob" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, January 25, 2003 3:08 AM Subject: Re: [FW-1] NAT issue..
> I have had an issue with checkpoint and defining an interface as a "DMZ" and having very bad results. I was running this on a nokia ip330 with ng fp2 as an enforcement module. I had an ip440 as the management server and its own enforcement module. When alone, the ip440 management server worked great, until I added the ip330 with the "DMZ" and then both firewalls began experiencing A LOT of connection issues. After removing the IP330, the problem still remained so I upgraded to fp3. I am recreating this issue next week in the lab to see if it is an object issue (Had issues in the past and seen a lot of issues with having two or more objects defining the same ip or network even if it isn't used in the rule bases). I will let you know if I find out anything newsworthy. > > Rob > > -----Original Message----- > From: Duda, Nick [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 23, 2003 11:46 AM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] NAT issue.. > > > See that's the thing, I have all this done. I guess to be more direct in > my question....Is there a problem doing Static NATS between 2 private ip > ranges in FW-1? > > -----Original Message----- > From: Laidlaw, Rob [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 23, 2003 12:21 PM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] NAT issue.. > > > For each of the static nats you created two entries, one for incoming > traffic and one for outgoing traffic. The DMZ nat's should come first, > with a source of the dmz to your dmz vips, and the return rule should > specify source as the real box to dest. dmz net. The next two rules > should be the same rules, but remove the dmz net as source and > destination respectively. That should be all you need as far as nat, > but you need to define rules in the security policy that allows traffic > both ways, to both the dmz net and the internet. > > Rob Laidlaw > Sr. Network Engineer > EnvestnetPMC > [EMAIL PROTECTED] > > > -----Original Message----- > From: Duda, Nick [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 23, 2003 10:00 AM > To: [EMAIL PROTECTED] > Subject: [FW-1] NAT issue.. > > > Win2k , FP3 NG > > This is what i want to do. > > Internet ------(x.x.x.x) Firewall (192.168.1.1)-------- (192.168.1.50) > Internal Server > | > | (10.10.11.10) > | > ------DMZ > > > I need a static NAT from the External Interface (x.x.x.x) on the > Firewall to the Internal Server (192.168.1.50) I need a static NAT from > the DMZ Firewall Interface (10.10.11.10) going to the Internal Server > (192.168.1.50) > > You can only define 1 automatic nat on the Internal Server object, this > i know, so i bypassed this and made 2 manual static NATS. The External > (internet) to the Interal Server NAT works fine, as it should. The DMZ > interface NAT to the Internal Server didnt. The log shows packets going > from the DMZ interface to the Internal Server via NAT but nothing goes > back. > > Can this be done? > > Nick Duda, CCSA > Network Administrator > Evare, LLC > [EMAIL PROTECTED] > Disclaimer - 01/23/2003 > This information in this email is confidential and may be legally > privileged. It is intended solely for Mailing list for discussion of > Firewall-1. Access to this Internet email by anyone else is > unauthorized. > > EnvestnetPMC, Inc. does not accept time-sensitive transactional > messages, including orders to buy and sell securities, account > allocation instructions, or any other instructions affecting a client > account, via e-mail. > > If you are not the intended recipient of this email, any disclosure, > copying, or distribution of it is prohibited and may be unlawful. If > you have received this email in error, please notify the sender and > immediately and permanently delete it and destroy any copies of it that > were printed out. When addressed to our clients, any opinions or advice > contained in this email is subject to the terms and conditions expressed > in any applicable governing EnvestnetPMC terms of business or > agreements. > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > Disclaimer - 01/24/2003 > This information in this email is confidential and may be legally privileged. It is intended solely for Mailing list for discussion of Firewall-1. Access to this Internet email by anyone else is unauthorized. > > EnvestnetPMC, Inc. does not accept time-sensitive transactional messages, including orders to buy and sell securities, account allocation instructions, or any other instructions affecting a client account, via e-mail. > > If you are not the intended recipient of this email, any disclosure, copying, or distribution of it is prohibited and may be unlawful. If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies of it that were printed out. When addressed to our clients, any opinions or advice contained in this email is subject to the terms and conditions expressed in any applicable governing EnvestnetPMC terms of business or agreements. > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
