ext vip address showing for internal pings

[tandrews]

I cannot ping/traceroute to any internal host from my FW. A tcpdump on the fw internal interface displays the ext vip talking to the host, not the internal interface. If I unload the policy ping does work. There is only one NAT rule that says internal network going anywhere translate to hide behind the ext vip. All traffic out to the internet is fine. I cannot push policy to my enforcements points anymore.

Not sure how to solve this. Any and all suggestions would be appreciated.

t -

Using IPSO 4.1 NGX R60 HFA3

[david]

you may want to change your nat rule as follows, as i suspect your local fw interface is included as part of your local network object?

source destination
localnet localnet(negated) then hide behind the ext int

[tandrews]

You are correct, my fw local int is included in my NAT network. Sorry but I'm not clear on what "negated" is or how to include in the rule. Can you explain further?

t-

[david]

sorry, half asleep this afternoon :-)
you can't negate nat rules, only security rules.

add another nat rule ABOVE your exsisting rule as follows

source dest xlatesource xlatedestination

localnet localnet original original

[tandrews]

I must have more going on here b/c this change had no affect. Also when I execute a fw unloadlocal (pinging to the local net works) then do a fw fetch the ssh session hangs during install of security policy and I am back to square one.

t-