Michel,
Why are you trying to route part of the connectivity to your "Partner
Network" via your Internet connection?
Regards,
Ken...
Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM> wrote on 11/09/2004
00:58:13:
> Hello,
>
>
>
> I have a weird problem which force me to disable
> anti-spoofing on the external interface and I would like to know if
> anybody know why this happen and if there is a way to fix it...
>
>
>
> The current setup is the following.
>
> Eth 0 -> Lead to the internet
>
> Eth 1 -> Lead to internal network
>
> Eth 2 -> Lead to partner network
>
>
>
> The only Natting that occur is when a packet need to be
> routed out of Eth0 (Internet)
>
>
>
> Topology is
>
> Eth 0 -> External
>
> Eth 1 -> This Network
>
> Eth 2 -> Partner Network
>
>
>
> Partner Network:
>
> 2.3.4.0/24
>
> 3.4.5.0/24
>
> ...
>
>
>
> Routing on the FW is:
>
> 0.0.0.0/0 -> Internet
>
> 2.3.4.0/24 -> Eth2
>
> 3.4.5.0/24 -> Eth2
>
> 2.3.4.50/32 -> Internet
>
>
>
> Routing wise everything work fine.
>
>
>
> NAT Rule
>
>
>
> Eth1 2.3.4.50/32 Eth0.2 (Hide) DESTINATION
>
> Eth1/Eth2 ANY SOURCE DESTINATION
>
> Eth1/Eth2 ANY Eth0.1 (Hide) DESITNATION
>
>
>
> If from the Internal Network (Eth1) I send a packet
>
> Eth1 -> Inet Address except Partner Network -> Got
> NATTED -> Work Fine
>
> Eth1 -> Partner Network
> -> No NAT -> Work Fine
>
> Eth1 -> 2.3.4.50
> -> Got NATTED -> Doesn't Work, the Eth0 interface complaint
> that it get spoofed by the NAT address which is on the same network as
> the Eth0 interface
>
>
>
> If I remove the anti-spoofing on Eth0, everything work fine...
>
>
>
> So does anyone know why when trying to route a subset of a subnet
> through a different interface the NATTING won't work
>
>
>
> Also if I disable Anti-Spoofing except on the Eth0 , or/and set all
> network to External, it will have the same problem.
>
>
>
> If you have any idea suggestion it will be appreciated.
>
>
>
> Thank
>
>
>
> Michel Lapointe
>
<snip>
WARNING - This email and any attachments may be confidential. If received in
error, please delete and inform us by return email. Because emails and
attachments may be interfered with, may contain computer viruses or other
defects and may not be successfully replicated on other systems, you must be
cautious. Westpac cannot guarantee that what you receive is what we sent. If
you have any doubts about the authenticity of an email by Westpac, please
contact us immediately.
It is also important to check for viruses and defects before opening or using
attachments. Westpac's liability is limited to resupplying any affected
attachments.
This email and its attachments are not intended to constitute any form of
financial advice or recommendation of, or an offer to buy or offer to sell, any
security. We recommend that you seek your own independent legal or financial
advice before proceeding with any investment decision.
Westpac is a company registered in New South Wales in Australia under the
Corporations Act 2001 (Cth). Westpac is regulated in the United Kingdom by the
Financial Services Authority and is registered at Cardiff in the United Kingdom
as Branch No. BR 106. Westpac operates in United States of America as a
federally chartered branch, regulated by the Office of the Comptroller of the
Currency.
Westpac Institutional Bank is a division of Westpac Banking Corporation ABN is
33 007 457 141.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
