Remove your auto-nat configuration.
Define a host object with the ip that you want to nat with - the address of the
fw internal interface. (checkpoint will tell you that another object has this
ip, just ignore it and hit ok)
Define your nat rule and use the object that you created above as the hide in
the source field of the translated packet.
I do this for traffic from our vendors so we don't have conflicting address
space.
Robert Laidlaw
Senior Network Engineer
EnvestnetPMC, Inc.
rlaidlaw(at)envestnetpmc(dot)com
-----Original Message-----
From: Robert MacKinnon [mailto:robert.mackinnon AT BROADPARK DOT NO]
Sent: Monday, May 19, 2003 9:36 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Can't config "Hide behind install on GW"
I'm trying to configure a Nokia IP120 running CP FW-1 NG FP3 to hide
outbound traffic on the server side to the IP address of the FW. In 4.1,
this meant defining a hide NAT rule with 0.0.0.0 at the target address. In
NG, I am supposed to use the "Hide behind the interface of the install on
gateway" option in the NAT tab of the gateway's properties. When I select
"add automatic translation rules" and then select this radio button, I
cannot install the policy on the gateway. I get the error during compile
"The module osl-vpn01a cannot have a NAT rule intalled on ALL. The module
cannot translate its own address." The only choice I have in the
Install-on GW pull-down menu is "* ALL"; there is no other choice. In demo
mode, the Smart dashboard shows *ALL and several other gateways in the
pull-down menu.
What am I doing wrong with my config? How do I get Hide NAT to work the
way I want?
- Rob.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
Disclaimer - 05/19/2003
This information in this email is confidential and may be legally privileged.
It is intended solely for Mailing list for discussion of Firewall-1. Access to
this Internet email by anyone else is unauthorized.
EnvestnetPMC, Inc. does not accept time-sensitive transactional messages,
including orders to buy and sell securities, account allocation instructions,
or any other instructions affecting a client account, via e-mail.
If you are not the intended recipient of this email, any disclosure, copying,
or distribution of it is prohibited and may be unlawful. If you have received
this email in error, please notify the sender and immediately and permanently
delete it and destroy any copies of it that were printed out. When addressed
to our clients, any opinions or advice contained in this email is subject to
the terms and conditions expressed in any applicable governing EnvestnetPMC
terms of business or agreements.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
