[FW1] problems with NAT, can't get to internal NAT addresses from DMZ

Tue, 11 Jul 2000 20:56:33 -0700 


Hi,

I'm using Checkpoint FW1 version 4.

It is running on a Sun server running solaris 2.6

The machine has three nactive ineterfaces:
        hme0: the internal network
        qfe2: the DMZ
        qfe3: the internet

I have a couple of internal machines set up with a static NAT to the
internet. This works perfectly. I did have to add static routes on the
firewall for each NAT going from the translated address to the new address
for this to work.

My problem is that the machines on the DMZ can not connect to these machines
on their NAT address (or obviously their internal one).

The rule exists.
The route exists.
I can see the traffic on the qfe2 interface using tcpdump.
I can see checkpoint accepting the packet in the log.
But the packet never emerges from any of the firewalls interfaces.

Here are log entries for the different attempts (one internet - works fine,
one DMZ - doesn't work).

"firewall" is the firewall
"NATbox" is the  NAT'd machine (only http packets are allowed).
"DMZbox" is the machine on the DMZ tring to connect.
"internet" is on the internet - it connects just fine.

internet - works
"11Jul2000"  "16:00:18"  "qfe2"  "firewall"  "log"  "accept"  "http"
"internet"  "NATbox (Valid Address)"  "tcp"  "5"  "58398"  ""  ""  ""
"internet"  "NATbox"  "58398"  "http"  " len 60"  

DMZ - doesn't work
"11Jul2000"  "16:00:24"  "qfe1"  "firewall"  "log"  "accept"  "http"
"DMZbox"  "NATbox (Valid Address)"  "tcp"  "3"  "1254"  ""  ""  ""  "DMZbox"
"NATbox (Valid Address)"  "1254"  "http"  " len 60"  

Why is it that for the working translation from the net, the NAT computer
appears as "NATbox", but for the non-working translation from the DMZ it
appears as "NATbox (Valid Address)"?

Does anyone have any ideas how I can fix this?

Many thanks.

kath knight | network engineer 
voice +61 2 9395 8600 | fax +61 2 9518 9836
rare medium asia pacific | www.raremedium.com.au


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to