Hi Jean-Pierre.
You are right, route from original posting ( not my ) is wrong. But PING's
passed through FW-1 without DST_STATIC translation aren't fiction.
My configuration was :
10.253.7/24 10.241.1.248/30 10.241.1/24
----------- ------ ------
| Big Int. | | | |Ext. |
| Router |.254 .250| FW |.249 .250|Router|.253
| BCN |------------| |-------------|ASN |-------- Ext. World
| | | | | |
| | | | | |
----------- ------ ------
Address translation :
FWXT_SRC_STATIC 10.80.19.3 --> 10.241.1.34
FWXT_DST_STATIC 10.241.1.34 --> 10.80.19.3
Host 10.80.19.3 is in 3 hops behind BCN.
FW has routes to BCN for all internal networks, default route to
ASN interface 10.241.1.250 and
+ route add 10.241.1.34 10.253.7.254 1 ( to BCN ) for DST_STATIC
ASN has
+ route add 10.241.1.34 10.241.1.249 1 ( I use Solaris
notation not Bay Networks)
When I tried to ping 10.241.1.34 from External World I receieved
TTL exceed from 10.253.7.254.
Using snoop I catch that FW do not perform DST_STATIC translation and
send ping to 10.241.1.34 instead of 10.80.19.3. from internal interface.
BCN turns back this ping to FW with TTL decrement and so on ...
But Telnet to 10.241.1.34 works well with proper adress translation.
To avoid this problem I turn off ICMP on FW. Where is my mistake I don't
know ?
> Hi Denis,
>
> + We have FW-1 2.1c and SRC/DST translation work great !
> (even with PING)
>
> + However, I think that the added route is bad :
>
> route add 192.168.1.10 195.176.1.10 1
>
> + instead of :
>
> route add 195.176.1.10.1 192.168.1.10 1
>
> + Furthermore, be cardeful with the mac address specified in
> the publication ARP :
>
> arp -s 195.176.1.10 mac_address_of_the_nic_195.176.1.3 pub
>
> + Best Regard,
>
> dlg @
jet .
msk .
su (Denis Golubev) wrote:
> > > Hello,
> > > ---------------
> > > | |
> > > Internet | | Internal Network
> > > ---------------| GW |-------------------mail server
> > > 195.176.1.3 | | 192.168.1.1 192.168.1.10
> > > ---------------
> > >
> > > Using fwxlconf , i defined tow rules:
> > >
> > > 192.168.1.10 192.168.1.10 SRC_STATIC 195.176.1.10
> > > 195.176.1.10 195.176.1.10 DST_STATIC 192.168.1.10
> > >
> > > I defined also arp -s 195.176.1.10 mac_address_of_the gateway pub
> > > I defined also static route in the gatewy route add 192.168.1.10
> > > 195.176.1.10 1
> > >
> > > I installed rules again.
> > >
> > > The mail server is unable to ping the router 195.176.1.1
> > > A machine from internet is unable to ping 195.176.1.10.
> > >
> > > With snoop -vd interface i checked the the NAT is not functionning.
> > >
> > > Could somebody tell me what is wrong
> > >
> > > Best Regards
> > >
> > > Raymond Sleiman
> > >
> >
> > It seems for me that Checkpoint FW-1 2.1c does not perform FWXT_DST_STATIC
> > translation for ICMP. Snoop show me that ICMP packets directed to external
> > interface are sending from internal interface with original ( e.g.
> > 195.176.1.10) destination address. But for TCP FWXT_DST_STATIC scheme
> > works well.
> > To avoid this problem I turn off ICMP on FW-1 ( in properties window ).
> >
> > Regards,
> >
> > Denis
Regards,
Denis
---------------------------------
Denis Golubev, Moscow, Russia
Jet Infosystems Technical Staff
Phone: (+7 095) 973-48-48 E-mail: dlg @
jet .
msk .
su
Fax: (+7 095) 973-48-42
References:
|
|
