Tim --
I have been trying to set up static NAT on my Linux FW-1. Do you know what route
commands I should add. I added an ARP entry then added:
/sbin/route add $valid_ip gw $invalid_ip
... and everything works great except now my static NAT machine can't communicate
with anyone on the subnet directly connected to the untrusted interface of the
FW-1. That subnet can't communicate with the NAT host either. It's bizarre because
the static NAT host can ping www.yahoo.com, but I can access any service from my
house to the static NAT host perfectly.
Am I routing incorrectly? Any ideas?
Any help would be much appreciated.
Cheers,
John
Tim Cullen wrote:
> First, never send out your public IP addresses across a publicly accessible
> mailing list.
> The arp address should be
> <NAT'd address for client to see> <MAC address of outside interface of the
> firewall>
> Route should be
> route add (what ever Unix flavor specific command options here) <NAT'd
> address for client to see> mask 255.255.255.255 <Actual machine IP address
> internally> (Unix metric options here)
>
> Not trying to say you don't know how to do it, just look at the specific
> info related to the arps and routes. Do a netstat to see if the correct
> route is in there and an arp -a to see all of the arps. Usually this issue
> is a small nit-picky thing that you will look over and over and never see.
>
> -----Original Message-----
> From: Randall Kizer [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 25, 2000 6:19 PM
> To: Jim Brown; [EMAIL PROTECTED]
> Subject: RE: [FW1] Static NAT
>
> We can get from the inside going out, but not outside coming in.
>
> We've opened a rule from a specific outside IP that should have no problem
> coming in. When we do a traceroute, we can get all the way to the outside
> interface of the firewall, but no further. When we watch the firewall log,
> there's no entry indicating xlate, deny, permit, or anything.
>
> The arp -s rule we're using (Solaris 2.7) is as follows:
>
> arp -s 159.28.34.223 8:0:20:9a:72:e9 pub
>
> Randall
>
> At 03:07 PM 8/25/00 -0600, Jim Brown wrote:
>
> >Randall, Randall... Details, Details. How did it not work?
> >
> >-----Original Message-----
> >From: Randall Kizer [mailto:[EMAIL PROTECTED]]
> >Sent: Friday, August 25, 2000 12:31 PM
> >To: [EMAIL PROTECTED]
> >Subject: [FW1] Static NAT
> >
> >
> >
> >Last night I tried to cut-over to 4.1 SP2. Everything worked great except
> >for STATIC NAT. Hidden NAT worked, the firewall rules worked, everything
> >worked except static NAT. Any suggestions?
> >
> >Randall
> >
> >
> >
> >-
> >"As soon as men decide that all
> >means are permitted to fight an evil,
> >their good becomes indistinguishable
> >from the evil they set out to destroy."
> > --Christopher Dawson
> >
> >
> >
> >===========================================================================
> =
> >====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >===========================================================================
> =
> >====
> >
> >
> >===========================================================================
> =====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >===========================================================================
> =====
> >
>
> -
> "As soon as men decide that all
> means are permitted to fight an evil,
> their good becomes indistinguishable
> from the evil they set out to destroy."
> --Christopher Dawson
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
