Re: [FW1] NAT

Tue, 29 Aug 2000 11:02:14 -0700 



i believe that NT need '-' between each bytes in an MAC address.

u should have 2 rules for your NAT, first one in outbound way, other in 
inbound way that is to say:

internal any any          --D  internal_hiding original original
any internal_hiding any   --D  original internal original

use workstation properties and check "add automaticaly NAT"
then translation rules will be generated and added by the GUI itself.
Did u remenber to make the static route on your firewall module ?
if not, nothing should work properly...
just do a "route add internal_hiding internal_interface", don't forget to 
remount static route each time you reboot the system...u can do that just by 
typing this command line in fwstart script.
In order, firewall module check its route tables before looking for NAT 
rules and so if you don't force the system to send packet to the right place 
by adding static routes, many problems may occurs like anti-spoofing rules 
blocking return translated packets.
good luck

Gregory Duchemin


>
>I've setup the local.arp file.
>Does the format for the MAC address
>include : or are the spaces in between
>the digits blank (00:00:00:00:00:00 or 00 00 00 00 00 00)?
>I can ping the external interface but I
>can't get to the router.
>I only have one rule for NAT
>source=internal
>dest=any
>service any
>source internal hiding address
>dest=orginal
>service=orginal
>Installed on=all
>The security policy has any any any accept.
>What am I missing?
>
>Tim
>
>
>================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>================================================================================

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to