Re: [FW1] something to beware of...

Tue, 11 Jul 2000 08:36:05 -0700 


Declan,

If I'm not mistaken, you were warned about deleting
the object, since it was part of a/some rule(s). I'm not
sure if all versions do this, but v4.0sp4 and
v4.1sp1(Build 41603) do.

The automatic NAT rules come from the object(s) which
has the NATting defined. If you delete the object - goodbye
automatic NAT rule(s) for that object.

But as warnings go, this is helpful in any case - thanks.

Robert

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]

>>> [EMAIL PROTECTED] 6/28/00 7:54:04 AM >>>
>
>The squid cache box in the dmz of my IP440 firewall stopped working
>today for the following reason:
>
>I had two squid objects in my policy (squid and squidtest) I had both
>internal and external NAT rules applied. The first pair of NAT rules
>were:
>squidtest to internal_networks, any TRANSLATE squidtest_internal to
>original, any AND
>internal_networks to squidtest_internal, any TRANSLATE original to
>squidtest, any
>
>where squidtest_internal is the object I created for the internal NAT
>rule. This pair of NAT rules was created manually and an automatic pair
>was also created that did the external NATing. The trouble started when
>I deleted the squidtest object (having no more use for it!) it deleted
>the automatic NAT rules (good) but didn't fully delete the manually made
>
>rules - it deleted the squidtest and squidtest_internal parts and made
>the first two NAT rules look like this:
>
>any to internal_networks, any TRANSLATE original to original, any AND
>internal_networks to any, any TRANSLATE original to original, any
>
>This effectively masked/nulled subsequent NAT rules and stops fw-1
>routing packets to the relevant places. This is one to watch out for.
>
>Regards
>
>declan




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to