Well it sounds like your missing your "no NAT" rule... With internal to
DMZ traffic, you will want to add a two no NAT rules to the top of your
Address translation ..
InternalNet, DMZnet, original, original
DMZnet, internalNet, original, original
That should fix you up... and get your weekend started on the right foot!
Joe
[EMAIL PROTECTED] wrote:
> I have a question (more of an understanding of functionality issue)
>about FW-1 ver4.1, in regards to something having come up when I
>tried to debug an assumed network problem. Here is the
>environment: "three-leg" FW-1 setup (one leg internal, one DMZ, and
>one Internet). The problem I was having forced me to run Ethereal on
>one machine (the "client") placed internally (let's say 172.16.1.1) and
>also run Ethereal on the "server" located in the DMZ (let's say
>x.y.z.w), which the client has problems communicating with. Here is
>the (to me - the FW-1 newbie) strange problem:
>
>- the trace taken on the machine inside shows communication
>between: 172.16.1.1 port "n" <---> x.y.z.w port 80
>- the trace taken on the server shows communication between:
>x.y.z.t port "m" <---> x.y.z.w port 80, where x.y.z.t is the DMZ
>interface address on the firewall, and port "m" is obviously other than
>"n" of the client!!!
>- FW-1 has NO rule to NAT the internal machines!!!
>- the access from the internal machine to DMZ is free!!!
>
> And here is my (again - apologies for not knowing FW-1) opinion:
>FW-1 should have behaved like a router, with replacement (obviusly)
>only of the MAC address of the DMZ interface, when allowing the
>internal client out on the DMZ (which is another subnet), but NOT the
>replacement IP and port ?!?! It looks to me like a router-like behavior
>is actually now behaving like a NAT and PAT ?!? Is there anything I
>am missing here?!?
>
>TIA,
>Stef
>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
