[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

Re: [fw1-gurus] Static NAT limitations

Quoting Dan Lynch <[email protected]>:

Can you delete and re-create the object? Perhaps it got
corrupted or something.
I could, but the messages appear for most, if not all (I've been unable
to check all), objects with an automatic static NAT to a network address
that does not match an existing interface address. Just for this reason,
it doesn't seem to imply object corruption.

My own bias is to use manual NAT rules and not rely on automatic ARP
configuration. While it is a little more work, you have a lot more
granularity in terms of what rules apply in what circumstances.
That may be true, but I'm curious whether this is truly an otherwise
undocumented limitation of the Checkpoint firewall product. Does a NAT
address *require* an interface in its network range? I don't think so,
and no documentation I've found refers to that, yet the cited Checkpoint
KB article (sk18463) states that it does:
The SK is wrong. Or perhaps to be more charitable, it's incomplete. If  
the NAT address is resident on the network that's directly attached  
AND is the inbound interface of the firewall, then yes, you need an  
ARP entry.
However I prefer to NAT (Where necessary) using a completely virtual  
network range. One that only exists IN the firewall itself. The  
network routing simply ensures that the firewall interface is the next  
hop to the NAT network. In this way, the previous router is really  
only interested in the ethernet address of the firewall as the 'next  
hop'. The fiewall itsefl doesn't care whether the network range exists  
on the firewall at all. It's completely independent.

This message was sent using IMP, the Internet Messaging Program.

fw1-gurus mailing list
[email protected]