[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

Re: [fw1-gurus] Static NAT limitations

Not sure if I can offer any help but this is interesting:

That may be true, but I'm curious whether this is truly an otherwise
undocumented limitation of the Checkpoint firewall product. Does a NAT
address *require* an interface in its network range? I don't think so,
and no documentation I've found refers to that, yet the cited Checkpoint
KB article (sk18463) states that it does: 

I have many different static NATs for ranges that are outside of the
NATing interface's range. Not having read the article, but does it
really mean that with Automatic NAT and automatic ARPing you have this
restriction? I believe that's how Proxy ARP behaves on devices from
other Vendors by default.  Have you tested by manually entering a Proxy
Arp for your global address?

I'll be a little more dogmatic than Phoneboy and say that I always
reconfigured any firewall I take ownership of to remove automatic NAT. I
really can't cope with software presuming it knows my intentions..

Good Luck!


fw1-gurus mailing list
[email protected]