FireWall-1 FAQ: Can't Get to a Translated Address from a Non-Firewalled Host
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Q:
I have address translation working, but I’ve got a particular node that I can’t seem to get talking to a node on the Internal network that is being address translated. Here is my network configuration:
1st Client FireWalled Gateway Router
(10.0.0.2) <------>le0 qe0 <------->(203.234.222.254)<--------> WAN
| (10.0.0.1) (203.238.108.2) | serial
2nd Client | |
(10.0.0.3) <-- (203.238.108.80)<--
My NAT rules look like this:
================================================================================
No. | From Original | To Original | Method | First Translated
| Address(Port) | Address(Port) | | Address(Port)
--------------------------------------------------------------------------------
0 | 10.0.0.2 | 10.0.0.3 | FWXT_SRC_STATIC | 203.238.108.90
1 | 203.238.108.90 | 203.238.108.91 | FWXT_DST_STATIC | 10.0.0.2
================================================================================
My routing tables on the firewall look like:
Destination Gateway Flags Ref Use Interface
-----------------------------------------------------------------------------
127.0.0.1 127.0.0.1 UH 0 1450 lo0
203.238.108.90 10.0.0.2 UGH 0 6
203.238.108.0 203.238.108.2 U 3 27 le0
10.0.0.0 10.0.0.1 U 2 6 qe0
244.0.0.0 203.238.108.2 U 3 0 le0
default 203.238.108.254 UG 0 25
On the first machine, the routing table looks like:
Destination Gateway Flags Ref Use Interface
-----------------------------------------------------------------------------
127.0.0.1 127.0.0.1 UH 0 196 lo0
10.0.0.0 10.0.0.2 U 3 5 le0
224.0.0.0 10.0.0.2 U 3 0 le0
default 10.0.0.1 UG 0 19
The Cisco Router has the following lines in it’s configuration:
# show conf
:
:
ip route 203.238.108.90 255.255.255.255 203.238.108.2
ip route 203.238.108.91 255.255.255.255 203.238.108.2
:
:
I can ping in both direction between hosts on my WAN and 203.238.108.90, but I can’t ping from a host outside the firewall at 203.238.108.80. What am I missing here?
A:
From the “near” side of the firewall, all traffic goes to the WAN okay because routing is functioning okay at the gateway and the internal nodes know how to get traffic there. The traffic coming back from the WAN must go thru the router, which knows how to get traffic back to those translated address (thanks to the static host routes).
What has not been addressed here is the machines between the firewall and the WAN router. When 203.238.108.80 wants to send a packet to 203.238.108.90 (one of your translated addresses), it needs to know where to go. Because .80 and .90 are on the same subnet (logically), .80 sends out an ARP request (“Who is 203.238.108.90?”) looking for a MAC address to send to. Nothing is answering this request, so it fails.
What you should be doing instead of the static host routes on the router is “Proxy ARPs” on your firewall machine. See Routing and ARP Issues with NAT for more details.
