Arno,
Maybe you know how to get rid of the NDISWANIP adpater interface when
using RRAS? When I use RRAS and use the ip network router wizard NG thinks
there is a NDISWANIP interface when I do a get interfaces in the topology
tab of the firewall object. If I delete it I then get a warning about
antispoofing when I apply a policy. Where did I go wrong?
Thanks
Bob
>From: Arno Hechenberger <[EMAIL PROTECTED]>
>To: "'Robert Thompson'" <[EMAIL PROTECTED]>, "FW-1 Mailing
>List ([EMAIL PROTECTED])"
><[EMAIL PROTECTED]>
>Subject: AW: [FW1] CheckPoint 4.1 SP3 on Windows 2000 and static NAT... No
>go...
>Date: Mon, 6 Aug 2001 09:32:06 +0200
>
>Hello !
>
>This is a problem with Win2k and RRAS. Look at Q282312 on TechNet
>It will be fixed in Win2k SP3
>
>Use Checkpoint NG and try the automatic translation rules - it will work
>fine jus now - but the local.arp is ignored by Win2k
>
>Arno
>
>
>-----Urspr�ngliche Nachricht-----
>Von: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]] Im Auftrag von
>Robert Thompson
>Gesendet: Freitag, 3. August 2001 08:04
>An: [EMAIL PROTECTED]
>Betreff: [FW1] CheckPoint 4.1 SP3 on Windows 2000 and static NAT... No
>go...
>
>
>
>Is it me, or does CheckPoint's "FWXT_DST_STATIC" NAT suck really hard?
>
>I have spent 6 hours reading postings to the CheckPoint newsgroups and
>reading various engineers solutions to making static NAT work. I have read
>the entire CheckPoint Firewall-1 book by Goncalves and Brown, the manaul
>that accompanied the software, CheckPoint's secure knowledgebase,
>phoneboy's
>site, and some Star War's dude's site... and I still can not make a simple
>static mapping from a public external IP address to an internal private
>one.
>Hmmm....
>
>Steps I've taken...
>
>1) chose a second, unused and provisioned IP from our block of Internet Ips
>to use for the static mapping (209.x.x.103)
>
>2) I did not bind this IP to an interface (per the majority of the dazed
>and
>confused)
>
>2) configured an internal and external network object (several different
>configurations here... some people say use automatic translation... some
>say
>do not use automatic translation but instead create the rules manually)
>
>3) added a permanent route for the external address (route add -p
>209.x.x.103 mask 255.255.255.255 192.168.0.2)
>
>4) added MAC to IP translation in local.arp file under $FWDIR/FW1/STATE
>(209.x.x.103 aa-bb-cc-dd-ee-ff)
>
>5) verified the translation was in effect by checking the results of the FW
>CTL ARP command... and just to clear up some inconsistencies floating
>around
>the newsgroups... according to the output of this checkpoint command *both*
>- and : work for the MAC address in the local.arp file
>
>6) stopped the firewall with the fwstop command
>
>7) started the firewall with the fwstart command
>
>9) Re-verified that CheckPoint's static NAT sucks really hard.
>
>At first I thought maybe I was missing something, but later came to realize
>that I could never read all the postings about the confusion on the setup
>of
>static NAT in the newsgroups... there's just too many.
>
>CheckPoint has really dropped the ball here. I can't believe they have no
>documentation on their website except for a 1997 document by Joe DiPietro
>for FireWall-1 version 3.0. Hell, it took me 5 minutes to find the
>knowledgebase at CheckPoint. For such a basic feature, I don't see where
>all
>the difficulty comes from. Where I have the problem is... if it eludes this
>many people, why is there not a GUI wizard for setting up static NAT? Do
>you
>really want me to believe that you can't front-end a couple APIs with a VB
>app that will inject a static route and modify some cryptic ASCII local.arp
>file just by asking you in plain english 1) the public IP address 2) the
>private address you're hiding, and 3) the MAC address of the external NIC?
>Come to think of it... I can do it with two questions as long as it's not a
>load balanced environment.
>
>Flustered and discombobulated...
>
>-BackBoneBoy-
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
