I'm having a simular problem and removing the IP spoofing has not helped.
I have an internal email host that I'm trying to get working with address
translation, but alas to no avail.
orig address range xlate command
172.20.1.3 172.20.1.3 209.22.4.3 fwxl_SRC_static
209.22.4.3 209.22.4.3 172.20.1.3 fwxl_DST_Static
where 172.20.1.3 is the bogus address and 209.22.4.3 is the registered
address.
the manual states that you must add static routes to the internal
interface, so
route -n add 172.20.1.3 172.20.1.1 1 ( note manual has hop count of 1
and not 0 ? )
route -n add 209.22.4.3 172.20.1.1 1 ( note also, that the manual
uses host routes )
( 172.20.1.1 is the address of the internal interface )
Also, the object definition is defined as 209.22.4.3 for the mailhub, as
the upstream ISP will deliver the mail to the registered address, but the
internal workstations ( well Mac's ) see the mailhub as 172.20.1.3, which
is ok 'cause the internal machines can get the the POP port without the
firewall screwing them up....
I have followed the manual to every last detail ( did I mention this is
fw1 v2.1?? ) and still no results.
I'm snooping the external interface on the gateway ( Checkpoints term for
this thing ) and the gateway is sending ICMP BAD HOSTS, which can mean
network unreachable with sub-nets, or host not reachable. Also I've seen
ICMP BAD PORT messages.
If anyone has had this problem or can just see where I'm blowing it or if
the manual is wrong, I'd love to hear from you.
cheers and stumped
john dias
----------
From: Patrik Backstrom <pb @
techno .
org>
To: firewalls @
GreatCircle .
COM
Subject: Firewall-1, Static Address Translation problem [2]
Date: Saturday, August 02, 1997 6:31 AM
Thanks to everyone who answered.
The problem was (and still is) the anti-spoofing feature. The manual says
you should add the hidden and the official ip addresses to both the
internal and external interface on the firewall. This doesn't help, the
firewall still drops the packets. But as soon i as remove the antispoofing
features (ie. setting both interfaces to accept any ip's), everything
works just fine.
Since i really would like to use the anti-spoofing features, this is a bit
of a problem. Any ideas?
/pb
---------------------------------------------------------------------
Patrik Bäckström (BOFH) Phone........: +46-(0)706-661928
Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/
422 52 Hisings Backa E-Mail.......: pb @
techno .
org
PGP Pub Key......: http://warp.techno.org/~pb/pgpkey
\.....: finger pb @
warp .
techno .
org
---------------------------------------------------------------------
---------- Forwarded message ----------
Date: Wed, 30 Jul 1997 12:34:26 +0200 (MET DST)
From: Patrik Backstrom <pb @
techno .
org>
To: firewalls @
greatcircle .
com
Subject: Firewall-1, Static Address Translation problem
Hi!
I have a problem with static address translation. When the client on the
inside connects to the outside, everything works fine. But when a machine
on the outside tries to connect to the client's valid ip, it just won't go
trough the firewall.
I have configured the Network Object, Workstation, Address Translation for
Automatic Rules, Static and the Valid IP adress.
The logs on the Firewall-1 says that the packet is accepted, but it won't
reach the internal client.
It can't be a routing problem, since it works fine when the client
connects to the outside world. The source IP after the translation is also
correct.
/pb
---------------------------------------------------------------------
Patrik Bäckström (BOFH) Phone........: +46-(0)706-661928
Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/
422 52 Hisings Backa E-Mail.......: pb @
techno .
org
PGP Pub Key......: http://warp.techno.org/~pb/pgpkey
\.....: finger pb @
warp .
techno .
org
---------------------------------------------------------------------
----------
|
|
