Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Static NAT

Status
Not open for further replies.
PhoneNewbie

PhoneNewbie

IS-IT--Management
Feb 19, 2002
41
US
Hi there,

I have a Checkpoint Express NGX with 3 interfaces, 1 WAN, 1 LAN and one DMZ. After the intial install, everything appears to be ok, I can ping all the interfaces from the various networks and all is ok. The problem comes from trying to create a static NAT entry for our mail server in the DMZ.

On the firewall properties, I do NOT have hide all internal intefaces behind external interfaces checked.

I have created network objects for both the lan and dmz that ARE set to hide behind the gateway.

I have created a host object for the mail server on the dmz with a dmz address. I can ping the dmz address of the mail server from the lan. On the NAT tab of the host object, I selected static entry and entered the real routable address.

After installing the policy, I can still ping the dmz address but I cannot ping the routable address of the same box. Please advise what I'm doing wrong. Thanks so much!

Stu

PS - I currently have a default allow rule for all interfaces so there shouldn't be anything blocking security-wise, just nat screwup wise :)
 
Sort by date Sort by votes
I re-read this and I can't make sense of it. Let's try again...

I have Firewall NGX and want to expose a machine on my lan to a publicly routable IP on the wan. The lan would be 192.168.0.123 and the wan would be 111.111.111.123 (made up). I have the following rules in address translation:

1.) Orig Pkt: source=lan ip, dest=any service=any
Trans Pkt: source=wan ip (valid add), dest=orig, service=orig

2.) Orig Pkt: source=any, dest=wan ip (valid add), service=any
Trans Pkt: source=orig, dest=lan ip, service=orig


Now, from outside our network, I can ping the wan address. But if I try to ping the wan address from the lan or from the actual gateway, it gets destination host unreachable. When I ping the wan IP from the gateway, it looks like it's trying to ping it on the external interface instead of translating it to ping the local ip. What am I screwing up? Thanks!

Stu
 
Upvote 0 Downvote
I'm not 100 percent sure, but it sounds like you have nat thru the firewall disbled. Local hosts won't use nat to reach an external address if it is disabled thru the firewall and you will only be able to reach the internal address. Hope that helps in any way.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
996
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
203
steve777777
steve777777
dgoradia
  • Locked
  • Question
Second public IP NAT to LAN
Replies
0
Views
146
dgoradia
dgoradia
cisco222
  • Locked
  • Question
ASA and NAT
Replies
0
Views
130
cisco222
cisco222
RMurr34
  • Locked
  • Question
No Internet Access if no static map
Replies
0
Views
176
RMurr34
RMurr34

Part and Inventory Search

Sponsor

Back
Top