Jose R. Ferreira
16/05/97 16:32
Hello,
I have a FireWall-1 2.0 VPN (output of "fw ver" - "This is CheckPoint
FireWall-1 Version 2.0e [VPN]") installed in the company I working for.
Well, I realized that the traceroute command from the internal network to
any address on Internet (external network)
doesn´t work well. The traceroute command is only able to show hosts and
routers traced in the internal network, never in the external.
Using the"snoop" comand on the FireWall machine and a Windows NT analyser
as a source of the traceroute packets, analysing frames going out from the
FireWall to the internal network I verified that the NAT is not
translating the destination address to the internal network address, in
case of " ICMP Time Exceeded" datagram sent from hosts or routers on
Internet. The destination address remains the external address configured
in my rules, that is to say, the NAT didn´t translate the external address
to the internal address even though there is a rule to do that.
Using a router in the external network I have tested my NAT translation
rules with other commands like Ping or Telnet and this worked fine. I saw
it on the output of snoop that the NAT is correctly translating the
destination address to the internal network address, so my configuration
seems to be ok.
I have looked for this bug on the Sunsolve and I have found a Jumbo Patch
for Solstice FireWall-1 2.0 VPN (103337-5) , I installed it but it didn´t
correct the problem.
Has anybody found this kind of problem ?
Thanks,
Jose Ricardo
|
|
