Here is the set-up:
3-NICS
FW External (Valid IP)
DMZ 192.168.1.x
LocalNet 192.168.168.x (No Automatic Hiding Done)
NAT Rules:
localnet localnet any orig orig orig
localnet any any FWIP orig orig
I am now trying to give access to the DMZ from the LocalNet, do the
following:
Rule:
LocalNet DMZ any Accept Long -- This shows as
accepted in the log (ping as an example)
NAT:
Created 2 Address range objects:
LocalNetInvalid - 192.168.168.1 -
192.168.168.255
DMZInvalid - 192.168.1.1 -
192.168.1.255
Placed the following 2 NAT rules above the NAT Ruls shown above:
LocalNetInvalid DMZInvalid ANY orig orig orig
DMZInvalid LocalNetInvalid ANY orig orig orig
>From DMZ machines, I can see logging of communication with the firewall, and
from LocalNet I can see communication (and acceptance) by the Firewall.
Ping from localnet to DMZ shows accept in logs, by timeout on the clients...
It isn't doing routing as it should by defualt. The route tables show
correct information.
Do I need to Hide these Invalid ranges behind an IP that is contained in the
other?
Thanks for your help!
PDB
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
