Randall --
You bet I will. What platform are you running FW-1 on? Mine is on Red Hat Linux
6.2... I only ask because I am almost sure I its a routing problem...
Well, at least I suspect so, because I don't know that much about modifying kernel
routing tables (Red Hat has always taken care of this for me) and there is nothing in
the 15-lb. manual they ship you with FW-1 other than "you have to modify your internal
routing table." Sheesh... a lot of help that statement is :-). And you have to look
real hard to find that.
I'll _definitely_ let you know anything I figure out. Please do the same.
Cheers,
John
Randall Kizer wrote:
> John,
>
> This is EXACTLY my problem! I'm still working on it. If I am able to
> solve it, I'll let you know. If you're able to solve it, please let me know!
>
> Thank you!
> Randall
>
> At 09:35 AM 8/26/00 -0700, you wrote:
> >Tim --
> >
> >I have been trying to set up static NAT on my Linux FW-1. Do you know
> >what route
> >commands I should add. I added an ARP entry then added:
> >
> >/sbin/route add $valid_ip gw $invalid_ip
> >
> >... and everything works great except now my static NAT machine can't
> >communicate
> >with anyone on the subnet directly connected to the untrusted interface of the
> >FW-1. That subnet can't communicate with the NAT host either. It's
> >bizarre because
> >the static NAT host can ping www.yahoo.com, but I can access any service
> >from my
> >house to the static NAT host perfectly.
> >
> >Am I routing incorrectly? Any ideas?
> >
> >Any help would be much appreciated.
> >
> >Cheers,
> >John
> >
> >Tim Cullen wrote:
> >
> > > First, never send out your public IP addresses across a publicly accessible
> > > mailing list.
> > > The arp address should be
> > > <NAT'd address for client to see> <MAC address of outside interface of the
> > > firewall>
> > > Route should be
> > > route add (what ever Unix flavor specific command options here) <NAT'd
> > > address for client to see> mask 255.255.255.255 <Actual machine IP address
> > > internally> (Unix metric options here)
> > >
> > > Not trying to say you don't know how to do it, just look at the specific
> > > info related to the arps and routes. Do a netstat to see if the correct
> > > route is in there and an arp -a to see all of the arps. Usually this issue
> > > is a small nit-picky thing that you will look over and over and never see.
> > >
> > > -----Original Message-----
> > > From: Randall Kizer [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, August 25, 2000 6:19 PM
> > > To: Jim Brown; [EMAIL PROTECTED]
> > > Subject: RE: [FW1] Static NAT
> > >
> > > We can get from the inside going out, but not outside coming in.
> > >
> > > We've opened a rule from a specific outside IP that should have no problem
> > > coming in. When we do a traceroute, we can get all the way to the outside
> > > interface of the firewall, but no further. When we watch the firewall log,
> > > there's no entry indicating xlate, deny, permit, or anything.
> > >
> > > The arp -s rule we're using (Solaris 2.7) is as follows:
> > >
> > > arp -s 159.28.34.223 8:0:20:9a:72:e9 pub
> > >
> > > Randall
> > >
> > > At 03:07 PM 8/25/00 -0600, Jim Brown wrote:
> > >
> > > >Randall, Randall... Details, Details. How did it not work?
> > > >
> > > >-----Original Message-----
> > > >From: Randall Kizer [mailto:[EMAIL PROTECTED]]
> > > >Sent: Friday, August 25, 2000 12:31 PM
> > > >To: [EMAIL PROTECTED]
> > > >Subject: [FW1] Static NAT
> > > >
> > > >
> > > >
> > > >Last night I tried to cut-over to 4.1 SP2. Everything worked great except
> > > >for STATIC NAT. Hidden NAT worked, the firewall rules worked, everything
> > > >worked except static NAT. Any suggestions?
> > > >
> > > >Randall
> > > >
> > > >
> > > >
> > > >-
> > > >"As soon as men decide that all
> > > >means are permitted to fight an evil,
> > > >their good becomes indistinguishable
> > > >from the evil they set out to destroy."
> > > > --Christopher Dawson
> > > >
> > > >
> > > >
> > > >=======================================================================
> > ====
> > > =
> > > >====
> > > > To unsubscribe from this mailing list, please see the
> > instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > >=======================================================================
> > ====
> > > =
> > > >====
> > > >
> > > >
> > > >=======================================================================
> > ====
> > > =====
> > > > To unsubscribe from this mailing list, please see the
> > instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > >=======================================================================
> > ====
> > > =====
> > > >
> > >
> > > -
> > > "As soon as men decide that all
> > > means are permitted to fight an evil,
> > > their good becomes indistinguishable
> > > from the evil they set out to destroy."
> > > --Christopher Dawson
> > >
> > >
> > ============================================================================
> > > ====
> > > To unsubscribe from this mailing list, please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > >
> > ============================================================================
> > > ====
> > >
> > >
> > ================================================================================
> > > To unsubscribe from this mailing list, please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > >
> > ================================================================================
>
> -
> "As soon as men decide that all
> means are permitted to fight an evil,
> their good becomes indistinguishable
> from the evil they set out to destroy."
> --Christopher Dawson
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
