urgent help required on this manual static nat pls

[sebastan_bach]

hi am i am having NGXR65 and i have configured manual static nat .

i have a policy permitting telnet traffic from any to the static nat address.

in my global properties i have enabled manual nat rules
translate destination on client side.

my internal host is 10.1.1.254 and my static nat address is 60.1.1.1.
my external host is 1.1.1.2 and firewall internal interface
firewall internal interface ip address is 10.1.1.100
firewall external interface ip address is 1.1.1.1

both the internal host and the external host are cisco routers. .

on firewall i have a default route pointing to the external host.

here;s are my nat rules.

rule 1

in the original packet
source inside-host(10.1.1.254) destination any service any

in the translated packet
source static-host(60.1.1.1) destination any service any

rule2

in the translated packet
destination statichost(60.1.1.1) source any service any

in the original packet
destination insidehost(10.1.1.254) source any service any

in the global properties nat page i have enabled i manual nat rules
translate destination on client side.

in the security rulebase i have added a rule to permit any to static-host telnet.

on the outside router i am having a route for 60.1.1.1 pointing to the external interface of the firewall.

i guess with these routes and since the static nat address is not in the same subnet of the external interface of the firewall i will not be needing any proxy arp entries on the firewall right.

cause when the cisco router does a AND operation for 60.1.1.1 it sees it has got a route so it will directly send it to the external interface of the firewall.

but still from past 2 days i am working out on this and not able to reach the internal host from the external host.


can someone pls help me out. i am really having a tuff time with this.

regards

sebastan

[RayPesek]

Why can't you use an automatic NAT rule?

Ray

[sebastan_bach]

hi mate i am learning checkpoint. i have tried with auto-static nat and it works perfectly fine.

i am now trying to work on manual nat.

with manual nat i can send traffic from the internal host to the external host and it works fine.

the problem i am facing is traffic from the external host to the internal host.

if u can help me out or atleast help me in figuring out where i am going wrong. cause i am sure what i am trying to do is not very complicated.

regards

sebastan

[cciesec2006]

you need to do this in NAT rule:

rule 1:

in the original packet
source inside-host(10.1.1.254) destination any service any

in the translated packet
source static-host(60.1.1.1) destination any service any

rule 2:

in the original packet
source any destination is static-host 60.1.1.1 service any

in the translated packet
source any destination inside-host 10.1.1.254 service any


in the security rule:

source is Any, destination is static-host 60.1.1.1 service is telnet.

I just tried on my Nokia firewall R55 and it works just fine.


Think about it, when host 1.1.1.2 wants to talk to host 60.1.1.1, since
you already have the route in place, source will be "ANY", for simplicity,
destination is 60.1.1.1 for original packet. For translated packet, you
want to keep the source the same but change the destination to
10.1.1.254. That's it.

[sebastan_bach]

mate thanks a million for helping me out. i am gonna try it out right now and i am pretty sure it will work. the logic u said is perfectly fine.

i am really amazed why there is not a single configuration example of manual static nat anywhere in the checkpoint documentation.

even in the checkpoint press NGX1 they have only mentioned automatic nat.

thanks a lot once again.

i am trying it now and will let u know soon.

regards

sebastan