 | ||
 Use NAT to translate an external IP to an internal one? | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-12-19 | |||
| |||
 Use NAT to translate an external IP to an internal one? I can't figure this one out. We have a lot of devices that are going to outside NTP servers but we want them to use internal ones. For example, I would like to redirect all ntp-udp requests going to time.windows.com (207.46.130.100) to a specific internal IP address. I set up the NAT rule as it should be, or rather, as I *think* it should be, but all that happens is a tracert to 207.46.130.100 dies after the internal interface. There's nothing in the rule base except an accept to the original IP address. We've got a lot of devices, like label printers, that have some firmware causing them to go to time servers all over the place but it's not exposed in the administrative interface. The rule should look something like: Source: LAN-group-excluding-master-NTP-server Service: ntp-udp Destination: original Source: original Service: ntp-udp Destination: internal-time-server internal-time-server is reachable via ntp-udp from the firewall itself. Any guesses would be appreciated. Thanks, Ray  |
| 2006-12-20 | |||
| |||
| Re: Use NAT to translate an external IP to an internal one? Random thoughts: * If your NAT rule is ntp-udp specific, then traceroute's not going to match it. * Is the internal NTP server on the same LAN as the clients? Or more importantly, will replies from the NTP server be routed back via the firewall, or will they go directly to the clients? * What do you see with fw monitor? * One way of dealing with time.windows.com might be to just stick a specific record for that in your internal DNS to point to your internal IP. |
| 2006-12-20 | |||
| |||
| Re: Use NAT to translate an external IP to an internal one? I did "service: any" with the tracert testing. That's why it died. Nice catch. :-) I'm thinking the replies should route back to the firewall because of Hide NAT. But that's not what appears to be happening. I was about to resort to fw monitor. The NTP server is on the same LAN/WAN as the clients. time.windows.com is only one of the many destinations, unfortunately. The Macs go somewhere else. The Zebra printers try to go to dozens of different NTP servers, etc. Thanks for your thoughts, Ray |
| 2006-12-20 | |||
| |||
| Re: Use NAT to translate an external IP to an internal one? Hi Ray, I did something similar a while ago. Can't remember the specifics, however if I remember correctly, I had to allow access to the NAT address in the security rules for it to work. Seems a bit odd, but I'm reasonably sure that was the solution. |
| 2006-12-29 | |||
| |||
| Use NAT to redirect NTP requests to an internal Time Server I'd like to do much the same, except (ideally) redirect all NTP requests to our internal time server. However, this NAT rule: Original Packet Source: Internal Network Destination: <group of common time servers, entered as hosts> Service: NTP group Translated Packet Source: =Original Destination: Local Time Server Host Service: =Original results in the following error when install is attempted: NGX R61 Advanced Security Invalid <Group> in Dst of Address Translation Rule 4. <Group> is valid only if the matching Translated column is <Original> or if the Source Translated Method is <Hide>. Ideas, anyone? Thanks in advance. |
| 2006-12-29 | |||
| |||
| Re: Use NAT to translate an external IP to an internal one? "Destination: <group of common time servers, entered as hosts>" Change this to original. There's no need to specify a destination if it's all time, is there? I haven't had a chance to look into this further, hence my lack of follow-up. Ray |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
