There is no nat pool for SR in fw 4.0. is that the version ur using? if so, then i have got a work around. Create an workstation object with IP address as the FW's internal IP address. Create an network object with IP addr. 0.0.0.0 mask 0.0.0.0 name it Internet now, in the NAT rule base add a rule... Original packet.. Source (Internet) -> Destination (Internal NW) Service (Any) Xlated packet... Source (FW Intertnal IP obj - hide mode) -> destination=original service orginal.. what the above rule will do is that any packet coming from internet meant for u local lan.i.e. thru securemote, then it will get hidden behind fw's internal ip address. since this ip address is accessible from ur internal lan, they will be send the reply packets back to VPN fw and not to ur default gw... try it out...it works. Warm Regards, Amit Saha Specialist - Network Security HCL Comnet Systems & Services Ltd. Mumbai, India. Tel. : 91-22-654 1986 Fax : 91-22-654 1475 Mobile : 98200 50005 Mail id : [EMAIL PROTECTED] Web address : www.hclcomnet.com "This correspondence is for the named person's use only. It may contain confidential or legally privileged information or both. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this correspondence in error, please immediately delete it from your system and notify the sender. You must not disclose, copy or rely on any part of this correspondence if you are not the intended recipient." -----Original Message----- From: Nick Potkay [mailto:[EMAIL PROTECTED]] Sent: Friday, June 02, 2000 11:45 PM To: Roy Hills Cc: Tony Kim; [EMAIL PROTECTED] Subject: Re: [FW1] Can't use original source of Any with hiding NAT rule On Fri, 2 Jun 2000, Roy Hills wrote: > However, I have an immediate requirement for SecuRemote access via > the Firewall-1 system. This works fine for the few systems that have their > default route set to be the Firewall-1 system, but doesn't work at all for > the vast majority of systems which have their default route set to the old > Firewall because the return packets don't get encrypted (one of the rules > for SecuRemote is that the packets pass through the same gateway in > both directions). FW 4.1 SP1 will do Nat pools for SR :-) Create a range object containing internal address. Policy -> Properties -> IP Pool NAT, check off "enable ip pool nat for SR" Then go edit your firewall object acting as the vpc gateway -> NAT Tab, you then specify the nat pool for use. -Nick ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
