No, I _do_ want to translate all inbound traffic from the Internet to a single internal IP address. Here's why: I've got an existing Firewall (not Firewall-1) which currently handles all Internet traffic. All internal systems have a default route pointing to this "old" Firewall. Now, I've installed a new Firewall-1 Firewall on a new Internet link. In the long term I might want to move all Internet traffic over to the Firewall-1 system, but this migration will be a gradual process. However, I have an immediate requirement for SecuRemote access via the Firewall-1 system. This works fine for the few systems that have their default route set to be the Firewall-1 system, but doesn't work at all for the vast majority of systems which have their default route set to the old Firewall because the return packets don't get encrypted (one of the rules for SecuRemote is that the packets pass through the same gateway in both directions). Now, my solution to this was to NAT the inbound traffic so that it appeared to come from an internal address. This would mean that all systems would reply to the internal address and therefore automatically use the Firewall-1 system for return packets. Think of it as a way to just drop a Firewall-1 system onto a network to act as a VPN gateway without having to faff about with routing. Regards, Roy Hills NTA Monitor Ltd At 10:50 02/06/00 -0600, Tony Kim wrote: >If you mean that all of your internal network hitting the internet, and you >want to be able to hide your network behind the firewall... >have your NAT to be like so: > >Orig Src: All-Internal-Networks >Orig Dst: Any >Orig Svc: Any > >Trans Src: = external-hiding-address(h) >Trans Dst: = Original >Trans Svc: = Original > >Is this what you mean?.. You want to be able to go to the internet and >hide your firewalled computers? > >If not, why would you want all internet traffic to be translated into the >firewall IP for your internal PCs? > >Maybe explain the scenario please.. > > >At 09:54 AM 02/06/00 , Roy Hills wrote: > > > >I want to perform hiding NAT for inbound packets coming in from the > >Internet so that their source address is translated to be the Firewall's > >internal address. > > > >When I try to add the NAT rule: > > > >Orig Src: Any > >Orig Dst: All-Internal-Networks > >Orig Svc: Any > > > >Trans Src: = internal-hiding-address(h) > >Trans Dst: = Original > >Trans Svc: = Original > >Comment: Hide inbound connections behind Firewall > > > >the rulebase fails compilation with the error message: > > > >"Invalid <Any> in Source of Address Translation Rule 3. > ><Any> is valid only if the matching translated column is <Original>" > > > >However, I _can_ add a hiding NAT rule which uses a network object or a > >network group as the source, so I can't see why Any should cause a > >problem - isn't Any just an extreme case of "many addresses" which already > >works? > > > >I guess I could define a network object: > > > >Name: all-ip-addresses > >IP: 0.0.0.0 > >Mask: 0.0.0.0 > > > >And then use that as the source. But I shouldn't really need to do this. > > > >Any ideas on this one? Has anyone else been bitten by this? > > > >I'm using Firewall-1 V4.0 SP4 on NT 4.0 SP4 on Intel platform. > > > >Regards, > > > >Roy Hills > >NTA Monitor Ltd > >-- > >Roy Hills Tel: +44 1634 721855 > >NTA Monitor Ltd FAX: +44 1634 721844 > >14 Ashford House, Beaufort Court, > >Medway City Estate, Email: > [EMAIL PROTECTED] > >Rochester, Kent ME2 4FA, UK WWW: >http://www.nta-monitor.com/ > > > > > > > >============================================================================ > >==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > >============================================================================ > >==== > > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Tony Kim > CSM Systems Inc. > Chief Network Security Engineer. > 780-441-3251 1-888-799-2500 > > Suite 900 - First Edmonton Place > 10665 Jasper Avenue > Edmonton, AB > T5J 3S9 > Canada > > http://www.canadashop.com/ > http://www.csm-systems.com/ > http://www.americangamers.com/ >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -- Roy Hills Tel: +44 1634 721855 NTA Monitor Ltd FAX: +44 1634 721844 14 Ashford House, Beaufort Court, Medway City Estate, Email: [EMAIL PROTECTED] Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
