Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
21222324252627282930
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems
Advanced Technical Reference Guide 4.1 June 2000 23
How to set up Hide Mode Address Translation behind a dynamic
address
To hide a range of address behind a dynamic IP address, hide the range behind the IP address 0.0.0.0. VPN-
1/FireWall-1 will determine the exact IP of the hiding address as the address that the packets exit from.
1. Open the security policy editor.
2. Create a new workstation object for the network/address range being NATed.
3. Input the pertinent information on the general tab (name and IP).
4. ClickontheNATtab.
5. Click "use automatic translation rules".
6. Set the mode to "hide" and input 0.0.0.0 as the Hiding IP address.
Cause: An ISP did not provide a static IP address.
See the SecureKnowledge Solution (ID: 36.0.1738860.2502469) in the Check Point Technical Services site
How to use Encryption with NAT and ICMP
Problem Description: Cannot encrypt and do NAT simultaneously on ICMP packets
To enable this feature you should quit all control GUIs, both fwui and GUI-clients (Windows and Motif) and
then manually edit the 'objects.C' file (in '$FWDIR/conf' for UNIX, '%SystemRoot%\fw\conf'
for NT). Change the line ":icmpcryptver (0)"to":icmpcryptver (1)". This change should be
made in all encrypting/decrypting machines in your VPN
NOTE: Making the change disables the Backward Compatibility of encrypting ICMP packets, such as ping.
This means that all affected machines will not be able to encrypt ICMP (with or without NAT) against VPN-
1/FireWall-1 from versions earlier than 3.0, and version 3.0 FireWalls which did not make this modification.
It is only necessary to modify the 'objects.C' file in the management stations. After modifying
'objects.C', reinstall the security policy on all VPN-1/FireWall-1 modules in the VPN. Once this
modification is done, VPN machines should be able to use encryption and address translation with ping.
See the SecureKnowledge Solution (ID 36.0.2056964.2506360) in the Check Point Technical Services site
How to Connect several illegal IP networks through the Internet
Sometimes it is necessary to connect several networks with illegal addresses via the Internet. This is a problem,
because a client can only access a computer on another network if it can reach the IP address of that network
One way to do this is to get legal IP addresses for the computers which need to be servers for the other
networks. Then, use Static Address Translation to translate the addresses of the servers, and Hide Address
Translation for everything else, so that the IP addresses will look like the following:
In Network Source IP Destination IP
Internal-1 (the client's net) Client (illegal) Server (legal)
Internet Address client is hidden to, usually
Internal-1's gateway (legal)
Server (legal)
Internal-2 (the server's net) Address client is hidden to, usually
Internal-1's gateway (legal)
Server (illegal)
Another possibility is to use IP tunneling, to tunnel the IP packets with illegal source and destination addresses
in the data portion of legally addressed IP packets which pass between the gateways.