Hello,
You have to be very carreful about NAT rules order; some of them are
done automatically by rules defined by you in FW policy and I have a
surprise to couldn't realise the desired order because I wasn't allowed
to wrote where I want, but only in front or after this rules. Soemtime
you need to exercise and see what are the FW policy behaviour in making
rules.
Also I think that there is a mistake in your configuration; so you have
original packet/any destination/any service but after that you need
translated source/original destination/original service.
Best regards,
Mihai
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Kim,
Cameron
Sent: Friday, August 27, 2004 20:55
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Question regarding NAT rules
How does everyone write their NAT rules?
I have a design with clustered checkpoint on nokia (using vrrp).
Multiple subnets being routed through the core.
I thought you could make nat rule like this
Original packets
Internal subnets object (includes all internal subnets) - any
destination - any service
Translated Packets
Checkpoint cluster gateway object (hide) - any destination - any
service.
But for some reason this rule doesn't work. I see the packets being
accepted in the smartview tracker, but no translation.
Temporarily, I have created a host object with the external ip of the
firewall and that seems to work ok.
But I have been told by different sources that I should have written a
nat rule for each subnet.
Why does the rule not work in the above example?
Cameron Kim
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
