Its easy! Just remember what you are trying to do...
1) Point the packets to the firewall from the router
2) Move the packet correctly thru the firewall
To do this you need to add 2 things to the firewall config.
(I am assuming V3.0 of Checkpoint on NT)
Add a local.arp entry (/winnt/fw/state/local.arp)
<ip address of translated address> <mac address of interface answering
the
request>
Add a route on the firewall to point the packet to the correct REAL
interface.
route add -p <ip address of translated entry> <next hop NOT next
interface>
(under solaris its next interface)
By hop i mean the next machine on the network that the packet is meant
to
be going to. Ie the internal router or the real machines IP address.
Reinstall the rules.
Rules are as follows!
Remember, INSPECT ON INBOUND,TRANSLATE ON OUTBOUND
Therefore Rules are evaluated on the original packet and the translation
is
the last thing that happens
Therefore to allow access the rule set should be:
Source: any
Destination: <translated ip address>
Service: any
Action: accept
As i said... EASY! :)
Exact values are therefore -
External Interface on FW 202.36.83.102
External mapped Address 202.36.83.112
Internal Address 192.168.1.1
local.arp file entry
202.36.83.112 <mac address of 202.36.83.102>
(seperate with -) (get info with ipconfig /all)
routing tables
route add -p 202.36.83.112 192.168.1.1
rules
source: any
destination: 202.36.83.12
service: http
action: accept
>-----Original Message-----
>From: ping [SMTP:ping @
tm .
net .
my]
>Sent: Thursday, July 31, 1997 3:38 PM
>To: Patrik Backstrom
>Cc: firewalls @
GreatCircle .
COM
>Subject: Re: Firewall-1, Static Address Translation problem
>
>Patrik Backstrom wrote:
>>
>> Hi!
>>
>> I have a problem with static address translation. When the client on the
>> inside connects to the outside, everything works fine. But when a machine
>> on the outside tries to connect to the client's valid ip, it just won't go
>> trough the firewall.
>>
>> I have configured the Network Object, Workstation, Address Translation for
>> Automatic Rules, Static and the Valid IP adress.
>>
>> The logs on the Firewall-1 says that the packet is accepted, but it won't
>> reach the internal client.
>>
>> It can't be a routing problem, since it works fine when the client
>> connects to the outside world. The source IP after the translation is also
>> correct.
>
>Did you put a static route saying from that private static IP
>going to your internal gateway? And try to do a static arp
>for that privat static IP with arp -s. If you didn't, your
>firewall is just keep on arp'ing.......
>
>>
>> /pb
>>
>> ---------------------------------------------------------------------
>> Patrik Bäckström (BOFH) Phone........: +46-(0)706-661928
>> Hjalmar Bergmans gata 50 Homepage.....: http://warp.techno.org/
>> 422 52 Hisings Backa E-Mail.......: pb @
techno .
org
>>
>> PGP Pub Key......: http://warp.techno.org/~pb/pgpkey
>> \.....: finger pb @
warp .
techno .
org
>> ---------------------------------------------------------------------
>
>Best Regards,
>Cheng Ping Onn.
|
|
