Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Static NAT not answering

From: Nick Brandson <nickbrandson () yahoo com>
Date: Thu, 3 Jun 2004 10:57:01 -0700 (PDT)
Hi guru,

What I have done,
Set up static-nat rule for my web, DNS, Mail servers
in my firewall, the fw will auto do proxy arp for my
static-nated (routable) address, then set a rule to
allow incoming traffic, /27 for sub net mask.  

Before, there's no firewall in our company, each
server have two NICs, one for External with routable
IP, one for Internal with private IP. IP Routing is
not enabled for two interfaces.

Strange things happened since we disabled the external
interface of all servers and set up the default
gateway of the internal NIC to firewall internal
interface,

1. The static-nat could not work (the external cannot
access the internal resource and vice versa where the
internal server, with static-nat enabled in the
firewall, cannot access the internet) if we are using
the same routable IP, which has been used for the
external interface before, in the firewall.  The
traffic can go out to the internet once we have
removed the static-nat for that server.

2. The static-nat works when we used other routable IP
in the NAT rule for those public access servers and
also the outgoing connection is working too.

3. Without passing thru the firewall, tried to connect
to the WAN(Internet) segment directly with my laptop
computer and setting up the problmatic routable IP for
the interface, outgoing and incoming traffic works
fine.

4. Tried to use the problematic routable IP as the
external interface of the firewall, hide mode nat
works (all the internal can access internet), also the
PAT Port address translation works too.  

5. Not the problem of my public access servers,
because we tried to use another laptop with the same
IP and it wouldn't work though.  Seems those IP cause
some error or conflict with my firewall.

Guessing the reason would be incorrect ARP/MAC address
from the router provided by our ISP, in the first
place, however, seems this is not the case when using
those problematic IP on my laptop connecting directly
to the WAN and we can make a connect to the internet,
and also we can access my personal web server on my
laptop too...

Any ideas would be appreciated.

thanks
Nick


        
                
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/ 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: