RE: [FW1] 3 NIC NAT Issues...

Fri, 21 Jul 2000 10:29:12 -0700 


I'm a bit lost, you are segmenting these machines in the DMZ, but allowing
full access from the internal net? Bad policy!

Seems like routing would be a logical issue check your masks on the dmz and
localnet. Make sure they don;t walk over each other.

Another question. Why are you natting from Internal to DMZ? routing would
work just fine.

Thomas

-----Original Message-----
From: Patrick Baird [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 21, 2000 11:42 AM
To: '[EMAIL PROTECTED]'
Subject: [FW1] 3 NIC NAT Issues...



Here is the set-up:

3-NICS
        FW External (Valid IP)
        DMZ                     192.168.1.x
        LocalNet                192.168.168.x (No Automatic Hiding Done)

NAT Rules:
 
        localnet        localnet        any     orig    orig    orig
        localnet        any     any     FWIP    orig    orig

I am now trying to give access to the DMZ from the LocalNet, do the
following:

Rule:
        LocalNet        DMZ     any     Accept  Long    -- This shows as
accepted in the log (ping as an example)

NAT:
        Created 2 Address range objects:
                LocalNetInvalid -       192.168.168.1   -
192.168.168.255
                DMZInvalid      -       192.168.1.1     -
192.168.1.255

        Placed the following 2 NAT rules above the NAT Ruls shown above:

        LocalNetInvalid DMZInvalid      ANY     orig    orig    orig
        DMZInvalid      LocalNetInvalid ANY     orig    orig    orig

>From DMZ machines, I can see logging of communication with the firewall, and
from LocalNet I can see communication (and acceptance) by the Firewall.  

Ping from localnet to DMZ shows accept in logs, by timeout on the clients...

It isn't doing routing as it should by defualt.  The route tables show
correct information.

Do I need to Hide these Invalid ranges behind an IP that is contained in the
other?

Thanks for your help!

PDB



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to