David-
Actually, the correct way to do this is at the top of page 3-15, which is
simpler to understand. There, the 'route add' command specifies the ip of
the firewall as its external one, not its internal one. Here is what the ip
route add command should be:
route add 203.10.1.5 203.10.1.1
...so the router sees the destination address in its table, sends the pkt to
the firewall interface local to it, and the firewall sends the packet on
from there.
Also this keeps the external router from containing information about 1 of
your "hidden" translated addresses, in case it's ever compromised.
Hope this helps,
-Keith Salustro
(using on site shared account)
At 12:37 PM 11/14/96 +1030, David Murray wrote:
>Just a note to let you FW-1 people know that the documentation in the
>Firewall-1 Architecture and Administration booklet is wrong.
>
>If you go to section 3, Address translation, pg 15 you will see a FAQ on
>why you can't ping translated addresses. They tell you the solution is to add
>a static route from the legal(translated) address to the internal interface.
>This does not work. What it means is follows.
>
>Internet
>-------- 203.10.1.1---------- 10.1.1.1 | DMZ
>| Router|-----------------| FW-1 |------------| -------
>--------203.10.1.2 ---------- |-----|Mail | 10.1.1.2
> | -------
>
>In this case, the internal network is being translated from 10.1.1.0 to
>203.10.1.0 Lets say the mail server is being translated from 10.1.1.2 to the
>legal address 203.10.1.5 on the FW-1 using fwxlconf.
>According to the documentation to make the FW-1 correctly pass the translated
>addresses through to the internal net we are to add a static route as follows:
>
> route add 203.10.1.5 10.1.1.1
>
>This tells it to route that address to the internal interface which gets it and
>drops it.
>
>The correct way is to route the legal address to the illegal translated address
>of the Mail server. i.e
>
> route add 203.10.1.5 10.1.1.2.
>
>This works, much to the suprise of checkpoint and the tech support reps.
>
>comments checkpoint?
>
>Dave.
>__________________________________________________________________________
>David Murray Phone: +61 8 8303 3300
>Systems Engineer Fax: +61 8 8303 4403
>Camtech (S.A.) Pty. Ltd. Email: dmurray @
camtech .
com .
au
> WWW: www.camtech.com.au
>PO Box 128,
>Rundle Mall, Adelaide SA 5000, 8th Floor, 10 Pulteney Street,
>Australia. Adelaide, Australia.
>___________________________________________________________________________
>
>
>
>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Keith Salustro, Network Security Engineer
-- Strategic Network Consulting (SNC) --
direct:617-875-7672 main:800-357-0208
pager :617-465-4637 fax :617-465-4637
<mailto>: Keith .
Salustro @
worldnet .
att .
net
or (shared account): s_khan @
litle .
net
|
|
