Hi Satana,
I believe those rule 0 you were referring to were cause by anti-spoof rules. It got me all the time when I set up a new firewall. If you are not sure, go to "manage object", select your firewall object, then on the "interface" tab, check the "anti-spoof" rule. Make them "none" for testing purpose. (I might be wrong with thses description. I am away from my management station.) If everything works, then you find the root cause of your mystry. The next step is to setup a correct anti-spoof rule. I normally create a group objects which contain the subnet itself, and possible other subnets that might show up at the source field of you packet (for example, you have a router connect to this subnet too), and MOST important, the NATTED address(es) that you have. I always forgot the NATTED address(es). Then I assign each of these group objects to the corresponding internal interfaces and set the external interface as "others". Hope this helps, eddyc >From: "Satana" <[EMAIL PROTECTED]> >To: "Chris Arnold" <[EMAIL PROTECTED]>, "'Brockhoven, >Werner '" <[EMAIL PROTECTED]>, ><[EMAIL PROTECTED]> >Subject: [FW1] (Still having) NAT Problem >Date: Wed, 3 Oct 2001 18:08:28 +0200 > > >Hi everybody and thanx for all your answers.... >I've checked my FW1 rules & Address Translations and...you got me! >something >was messed up. >Anyway..... I forgot to say that I obviously did the ARPing (arp -s EXT_IP >MAC_ADDR pub) and I added the route (route add EXT_IP INT_IP 1), but still >it isn't working. I've got an error on FW1 logs regarding rule0 (?). I'm >pretty out of any ideas... >Thanx again for help and interest > >Lorenzo > > > > >----- Original Message ----- >From: "Chris Arnold" <[EMAIL PROTECTED]> >To: "'Brockhoven, Werner '" <[EMAIL PROTECTED]>; "''Satana' '" ><[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> >Sent: Thursday, September 27, 2001 5:19 PM >Subject: RE: [FW1] NAT Problem > > > > > > I would stay away from automatic NAT rules personally. Do it manually >as > > there used to be issues with automatic NAT rules and manually gives you >a > > finer level of control as well. > > > > Chris > > > > -----Original Message----- > > From: Brockhoven, Werner > > To: 'Satana'; [EMAIL PROTECTED] > > Sent: 9/26/01 2:13 AM > > Subject: RE: [FW1] NAT Problem > > > > Hello Lorenzo, > > > > So you are trying to configure static destination nat. > > > > It may be easier to let FW-1 configure the nat rule by configuring the > > NAT tab in the workstation object which represents the internal machine. > > Because you are using static destination nat you'll have to configure a > > route on the firewall for the external ip adress and have it point to > > the internal ip adress of the www server. In your firewall object > > you'll have to configure antispoofing on the internal interface and add > > the external ip adress of the www server. Finally you'll want to > > publish the external ip adress on your gateway via arp so the external > > router knows where to send the packets. > > > > Regards, > > > > Werner > > > > > > > > -----Original Message----- > > From: Satana [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, September 25, 2001 10:51 AM > > To: [EMAIL PROTECTED] > > Subject: [FW1] NAT Problem > > > > > > Hi everybody > > I've got tihs problem: I have to publish over www an internal machine > > (which obviously has an internal IP adress) and I have to make FW1 nat > > its ip to the external ip adress (that is already routed on the right > > router & CDN). > > I've made a rule within the "Adress Translation" which says as original > > packet : > > SOURCE : Internal IP > > DESTINATION : Any > > SERVICE : Any > > as translated packet: > > SOURCE : External IP > > DESTINATION : Original > > Service : Original > > And it's obviously installed on FW1 cluster. > > There's also a rule in security policy: > > SOURCE : Any > > DESTINATION : External IP > > SERVICE : http > > ACTION : Accept > > What I have to do now ? To me it seems all fine, but it doesn't work. > > Where I'm doing it wrong ? > > Thanks in advance > > > > Lorenzo > > > > > > > > >============================================================================ >==== > > To unsubscribe from this mailing list, please see the instructions >at > > http://www.checkpoint.com/services/mailing.html > > >============================================================================ >==== > > > > > >================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >================================================================================ > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
