Firewall Wizards mailing list archives
RE: Checkpoint FW-1 NAT v's Routing problem
From: Dana Bourgeois <fg () corp portal com>
Date: Tue, 16 Dec 1997 09:47:09 -0800
Checkpoint (just up the street) told us we should upgrade to 3.0b ASAP. It is a transparent upgrade - we were concerned that SecureRemote 2.x clients would be hosed but they are not. I would suggest that your friend should upgrade and then work on fixing whatever problems still exist.
-----Original Message-----
From: Edward Cracknell [SMTP:edward () securIT net]
Sent: Tuesday, December 09, 1997 9:54
To: Firewall Wizards (Marcus J. Ranum's new moderated mail list)
Cc: Firewalls Alias
Subject: Checkpoint FW-1 NAT v's Routing problem
A client of mine has un petite problem with Checkpoint FW-1, version
3.0a over 2.5 Solaris.
FW-1
|
Cisco 1601
|
------------------------------------------------------------------------
| |
LAN 1 LAN 2
(Illegal address scheme) (Legal address scheme)
Using NAT SRC translations the problem is that FW-1 routes before it
NAT's, and so if the requirement for LAN 2 is to go to the IP address on
the Internet that corresponds with the illegal one of LAN 1 it fails.
The client doesn't want any hacks of code or non-supported solutions. I
feel it can be achieved with static routes pointing to the external
interface but the client really wants a CISCO based solution as they aim
to add lots more LAN 3's LAN 4's etc. and they have illegal addresses.
Does anyone know off hand if the 1601's support NAT? Cisco's are ver.
11.2.4
This would be the better solution because the firewall rules and logs
look messy after NAT.
Thanks in advance
-----------------------------------------------------------------
Edward Cracknell - <edward () SecurIT net>
Current thread:
- Checkpoint FW-1 NAT v's Routing problem Edward Cracknell (Dec 09)
- <Possible follow-ups>
- RE: Checkpoint FW-1 NAT v's Routing problem Dana Bourgeois (Dec 16)