> I want to perform hiding NAT for inbound packets coming in from the > Internet so that their source address is translated to be the Firewall's > internal address. Roy, You can't do it, even if the policy allowed you install with those xlate rules. Whenever we use static nat for (excluding services) a device, we have to add a static route for the destination. We know that routing occurs before xlation, the firewall has a route for the internal ip address via the internal nic - you have to route this traffic (the hide on the internal nic) out thru your default gateway. You would lose connectivity on the internal nic if it were possible to add this route. If you really have to do something like this, you can hide inbound connections behind a different unused internal ip. The firewall must proxy arp for this ip via internal nic, and then you will need a static host route, routing this internal ip out your firewalls default gateway. You are not allowed to use a Source of ANY in the Xlate rulebase. You can use ranges - you can create a few address range objects to take the place of ANY. So create a xlate rule like: Range1 could be 1.1.1.1 thru 10.254.254.254, etc. O=Original Packet, T=Translated Packet. O-src=range1 O-dst=internalnet O-svc=Any | T-src=bogusinternal(hide) T-dest=Orig T-svc=Orig Just be warned....there may be implications using these address ranges (since they are so large) in the xlate table. I'm sure there is a reason why checkpoint doesnt allow you to use ANY as a O-Src in xlation rules. -Nick Atlantic Computing > When I try to add the NAT rule: > > Orig Src: Any > Orig Dst: All-Internal-Networks > Orig Svc: Any > > Trans Src: = internal-hiding-address(h) > Trans Dst: = Original > Trans Svc: = Original > Comment: Hide inbound connections behind Firewall > > the rulebase fails compilation with the error message: > > "Invalid <Any> in Source of Address Translation Rule 3. > <Any> is valid only if the matching translated column is <Original>" > > However, I _can_ add a hiding NAT rule which uses a network object or a > network group as the source, so I can't see why Any should cause a > problem - isn't Any just an extreme case of "many addresses" which already > works? > > I guess I could define a network object: > > Name: all-ip-addresses > IP: 0.0.0.0 > Mask: 0.0.0.0 > > And then use that as the source. But I shouldn't really need to do this. > > Any ideas on this one? Has anyone else been bitten by this? > > I'm using Firewall-1 V4.0 SP4 on NT 4.0 SP4 on Intel platform. > > Regards, > > Roy Hills > NTA Monitor Ltd > -- > Roy Hills Tel: +44 1634 721855 > NTA Monitor Ltd FAX: +44 1634 721844 > 14 Ashford House, Beaufort Court, > Medway City Estate, Email: [EMAIL PROTECTED] > Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/ > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
