[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

Re: [fw1-gurus] Static NAT limitations



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Musgrave, Tom wrote:
> Not sure if I can offer any help but this is interesting:
> 
> That may be true, but I'm curious whether this is truly an otherwise
> undocumented limitation of the Checkpoint firewall product. Does a NAT
> address *require* an interface in its network range? I don't think so,
> and no documentation I've found refers to that, yet the cited Checkpoint
> KB article (sk18463) states that it does: 
> <<<<<<<<<<<<<<<<<<<<<
> 
> I have many different static NATs for ranges that are outside of the
> NATing interface's range. Not having read the article, but does it
> really mean that with Automatic NAT and automatic ARPing you have this
> restriction? I believe that's how Proxy ARP behaves on devices from
> other Vendors by default.  Have you tested by manually entering a Proxy
> Arp for your global address?

Basically if an ISP assigns a customer with a 192.0.2.0/26 subnet we try
to get only the 192.0.2.0/28 bit on the outside. That would leave room
for redundancy solution on both ends and some other stuff like
PacketShapers, IPS, ....

Then for the remainer of the 192.0.20/26 netblok there is no physical
network. NAT still works beautifually.

There is no need to for ARP entries and but in order to support
customers who need to NAT from external subnets (like the 192.0.2.0/28
block in this example) the code is still there to make it work.

So in fact there is no harm done. It's just a warning that you can
ignore now that you know why it is there. It ain't pretty but there is
no harm in them.

Hugo.

- --
[email protected]               http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and rate those images.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknSmikACgkQBvzDRVjxmYEONQCfXYb5k/QlvZHumpw+YbzWzmx2
OLAAn0G6QqKjmkt/TbUzTyyHLyxb9jxM
=oILT
-----END PGP SIGNATURE-----
_______________________________________________
fw1-gurus mailing list
[email protected]
http://lists.phoneboy.com/listinfo.cgi/fw1-gurus-phoneboy.com