Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
21222324252627282930
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems
Advanced Technical Reference Guide 4.1 June 2000 24
Note: The following instructions show how to change both the source and destination address in address
translation rules. The procedure makes it possible to use the server's illegal IP address in the internal network by
creating the following address translation rule:
1. Original Packet
Source | Destination | Service
Internal-1 network | Server's Illegal | any
2. Translated Packet
Source | Destination | Service
Internal-1's Gateway (hide) | Server's Legal | Original
3. Install on Internal-1's Gateway
In this case, the IP addresses will look like this:
In Network Source IP Destination IP
Internal-1 (the client's net) Client (illegal) Server (illegal)
Internet Internal-1's gateway (legal) Server (legal)
Internal-2 (the server's net) Internal-1's gateway (legal) Server (illegal)
Note: SKIP and IPSEC, which encapsulate the IP packets, do not require any of the above, and allow you to
disregard the whole issue.
See the SecureKnowledge Solution (ID 36.0.2512318.2514147) in the Check Point Technical Services site
Is there a limitation on XLATE_HIDE?
There is no limit on the number of internal computers that use FW_XLATE_HIDE. However, there is a limit on
the total number of address translated connections. The default size for the NAT tables is 25,000 and can be
enlarged to 50,000.
See the SecureKnowledge Solution (ID 36.0.2437377.2512633) in the Check Point Technical Services site
How to Configure SecuRemote with Split DNS for an Internal DNS
Server
Problem Description: DNS queries to the Internal Domain may be encrypted and resolved by the Internal DNS
server
Refer to the document: “How to Configure SecuRemote with Split DNS for an Internal DNS Server”. (See the
SecureKnowledge Solution (ID 55.0.790723.2565472) in the Check Point Technical Services site)
All DNS queries other than those to the Internal Domain are resolved by an external (ISP) public DNS server
The security aspect of Split DNS is clearly to hide internal domain information from the outside world
Split DNS can also prove valuable for non routable internal address schemes such as 10.x.x.x or 172.x.x.x
See the SecureKnowledge Solution (ID 55.0.790723.2565472) in the Check Point Technical Services site
How to use NAT when the IP address is embedded in the data area
There are certain protocols, such as the one used to communicate between a Primary Domain Controller and
Backup Domain Controller in Windows, which put the IP address in the data area, where VPN-1/FireWall-1
doesn't know how to change it unless NAT has been adapted specifically to that protocol.
In these cases it is sometimes possible to use two VPN-1/FireWall-1 gateways with Address Translation to still
allow the protocol to be used.