Re: [FW-1] Question regarding NAT rules

Subject:	Re: [FW-1] Question regarding NAT rules
From:	Kevin_Butters AT MCAFEE DOT COM
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Fri, 27 Aug 2004 11:46:39 -0700

Sounds right. We use the same config. Check the NAT properties on the
cluster object. It should say Hide Nat.

If you have multiple NAT rules try moving the rule up. You might have to
put a no-nat rule above for the sync network if you do.

-K


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Kim,
Cameron
Sent: Friday, August 27, 2004 12:55 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Question regarding NAT rules


How does everyone write their NAT rules?

I have a design with clustered checkpoint on nokia (using vrrp).
Multiple subnets being routed through the core.

I thought you could make nat rule like this

Original packets
Internal subnets object (includes all internal subnets) - any
destination - any service

Translated Packets
Checkpoint cluster gateway object (hide) - any destination - any
service.

But for some reason this rule doesn't work. I see the packets being
accepted in the smartview tracker, but no translation.

Temporarily, I have created a host object with the external ip of the
firewall and that seems to work ok.

But I have been told by different sources that I should have written a
nat rule for each subnet.

Why does the rule not work in the above example?

Cameron Kim

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [FW-1] Question regarding NAT rules, Kevin_Butters <= [FW-1] Question regarding NAT rules, Kim, Cameron Re: [FW-1] Question regarding NAT rules, Mihai Lupu

Previous by Date:	[FW-1] Luna accelerator driver download, Javier Lara Sanchez
Next by Date:	Re: [FW-1] Checkpoint NG fp3 and IPSO 3.8, Thorsten Behrens
Previous by Thread:	Re: [FW-1] Checkpoint NG fp3 and IPSO 3.8, Claudio Mena
Next by Thread:	[FW-1] Question regarding NAT rules, Kim, Cameron
Indexes:	[Date] [Thread] [Top] [All Lists]