RE: Static NAT not answering

["Ben Nagy" <ben () iagu net>]

Thanks for taking the time to do logical troubleshooting!

If all your data points are accurate then the problem is with the firewall -
that part's easy.

What's the firewall?

Oh, and could you clarify 2.

> 2. The static-nat works when we used other routable IP in the 
> NAT rule for those public access servers and also the 
> outgoing connection is working too.

Are these "other routable IP"s in the same subnet as the ones causing the
trouble?

As a broad-brush thing, I would think about restoring the firewall to
factory defaults and reconfiguring it from scratch. It's a sledgehammer
approach but it has worked for me more than once when under time pressure.

'luck,

ben

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Nick Brandson
> Sent: Thursday, June 03, 2004 7:57 PM
> To: firewall-wizards () honor icsalabs com
> Subject: [fw-wiz] Static NAT not answering
>
> Hi guru,
>
> What I have done,
> Set up static-nat rule for my web, DNS, Mail servers in my 
> firewall, the fw will auto do proxy arp for my static-nated 
> (routable) address, then set a rule to allow incoming 
> traffic, /27 for sub net mask.  
>
> Before, there's no firewall in our company, each server have 
> two NICs, one for External with routable IP, one for Internal 
> with private IP. IP Routing is not enabled for two interfaces.
>
> Strange things happened since we disabled the external 
> interface of all servers and set up the default gateway of 
> the internal NIC to firewall internal interface,
>
> 1. The static-nat could not work (the external cannot access 
> the internal resource and vice versa where the internal 
> server, with static-nat enabled in the firewall, cannot 
> access the internet) if we are using the same routable IP, 
> which has been used for the external interface before, in the 
> firewall.  The traffic can go out to the internet once we 
> have removed the static-nat for that server.
>
> 2. The static-nat works when we used other routable IP in the 
> NAT rule for those public access servers and also the 
> outgoing connection is working too.
>
> 3. Without passing thru the firewall, tried to connect to the 
> WAN(Internet) segment directly with my laptop computer and 
> setting up the problmatic routable IP for the interface, 
> outgoing and incoming traffic works fine.
>
> 4. Tried to use the problematic routable IP as the external 
> interface of the firewall, hide mode nat works (all the 
> internal can access internet), also the PAT Port address 
> translation works too.  
>
> 5. Not the problem of my public access servers, because we 
> tried to use another laptop with the same IP and it wouldn't 
> work though.  Seems those IP cause some error or conflict 
> with my firewall.
>
> Guessing the reason would be incorrect ARP/MAC address from 
> the router provided by our ISP, in the first place, however, 
> seems this is not the case when using those problematic IP on 
> my laptop connecting directly to the WAN and we can make a 
> connect to the internet, and also we can access my personal 
> web server on my laptop too...
>
> Any ideas would be appreciated.
>
> thanks
> Nick
>
>
>       
>               
> __________________________________
> Do you Yahoo!?
> Friends.  Fun.  Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards