Great Circle Associates Firewalls
(December 1997)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Checkpoint FW-1 NAT v's Routing problem
From: Edward Cracknell <edward @ securIT . net>
Date: Tue, 09 Dec 1997 21:53:41 +0400
To: "Firewall Wizards (Marcus J. Ranum's new moderated mail list)" <firewall-wizards @ nfr . net>
Cc: Firewalls Alias <firewalls @ GreatCircle . COM>

A client of mine has un petite problem with Checkpoint FW-1, version
3.0a over 2.5 Solaris.

                                Cisco 1601
      |                                                           |     
LAN 1                                                        LAN 2
(Illegal address scheme)          (Legal address scheme)
Using NAT SRC translations the problem is that FW-1 routes before it
NAT's, and so if the requirement for LAN 2 is to go to the IP address on
the Internet that corresponds with the illegal one of LAN 1 it fails.

The client doesn't want any hacks of code or non-supported solutions. I
feel it can be achieved with static routes pointing to the external
interface but the client really wants a CISCO based solution as they aim
to add lots more LAN 3's LAN 4's etc. and they have illegal addresses.

Does anyone know off hand if the 1601's support NAT? Cisco's are ver.

This would be the better solution because the firewall rules and logs
look messy after NAT.

Thanks in advance
Edward Cracknell - <edward @
 SecurIT .

Indexed By Date Previous: usubscribe firewalls
From: sz-techserv <hostmaster @ presidency . com>
Next: Re: NT or not
From: EMAIL!BGII!NiemannD @ ballygam . attmail . com (Niemann, Darrel)
Indexed By Thread Previous: Accessing FTP sites in DMZ using FW-1
From: Mike Topalovich <Topalovich @ terraglyph . com>
Next: RE: Checkpoint FW-1 NAT v's Routing problem
From: Dana Bourgeois <fg @ corp . portal . com>

Search Internet Search