Nick, Thanks for the info. As I understand it, the routing table entries are only needed for destination static NAT because the destination IP address gets changed by this type of NAT, and it's the destination IP which controls routing. However, I'm using source hiding NAT which only changes the source address of the packet and only needs a routing change to allow the return packets back to the single hiding address. Roy Hills NTA Monitor Ltd At 12:19 02/06/00 -0400, Nick Potkay wrote: >Roy, > >You can't do it, even if the policy allowed you install with those xlate >rules. Whenever we use static nat for (excluding services) a device, we >have to add a static route for the destination. We know that routing >occurs before xlation, the firewall has a route for the internal ip >address via the internal nic - you have to route this traffic (the hide >on the internal nic) out thru your default gateway. You would lose >connectivity on the internal nic if it were possible to add this route. > >If you really have to do something like this, you can hide inbound >connections behind a different unused internal ip. The firewall must >proxy arp for this ip via internal nic, and then you will need a static >host route, routing this internal ip out your firewalls default gateway. > >You are not allowed to use a Source of ANY in the Xlate rulebase. You can >use ranges - you can create a few address range objects to take the place >of ANY. So create a xlate rule like: > >Range1 could be 1.1.1.1 thru 10.254.254.254, etc. > >O=Original Packet, T=Translated Packet. > >O-src=range1 O-dst=internalnet O-svc=Any | T-src=bogusinternal(hide) >T-dest=Orig T-svc=Orig > >Just be warned....there may be implications using these address ranges >(since they are so large) in the xlate table. I'm sure there is a reason >why checkpoint doesnt allow you to use ANY as a O-Src in xlation rules. > >-Nick >Atlantic Computing > > > When I try to add the NAT rule: > > > > Orig Src: Any > > Orig Dst: All-Internal-Networks > > Orig Svc: Any > > > > Trans Src: = internal-hiding-address(h) > > Trans Dst: = Original > > Trans Svc: = Original > > Comment: Hide inbound connections behind Firewall > > > > the rulebase fails compilation with the error message: > > > > "Invalid <Any> in Source of Address Translation Rule 3. > > <Any> is valid only if the matching translated column is <Original>" > > > > However, I _can_ add a hiding NAT rule which uses a network object or a > > network group as the source, so I can't see why Any should cause a > > problem - isn't Any just an extreme case of "many addresses" which already > > works? > > > > I guess I could define a network object: > > > > Name: all-ip-addresses > > IP: 0.0.0.0 > > Mask: 0.0.0.0 > > > > And then use that as the source. But I shouldn't really need to do this. > > > > Any ideas on this one? Has anyone else been bitten by this? > > > > I'm using Firewall-1 V4.0 SP4 on NT 4.0 SP4 on Intel platform. > > > > Regards, > > > > Roy Hills > > NTA Monitor Ltd > > -- > > Roy Hills Tel: +44 1634 721855 > > NTA Monitor Ltd FAX: +44 1634 721844 > > 14 Ashford House, Beaufort Court, > > Medway City Estate, Email: > [EMAIL PROTECTED] > > Rochester, Kent ME2 4FA, > UK WWW: http://www.nta-monitor.com/ > > > > > > > > > ========================================================================== > ====== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ========================================================================== > ====== > > -- Roy Hills Tel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email: [EMAIL PROTECTED] Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
