Manualshelf

Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS
21222324252627282930
Chapter 3 Troubleshooting Network Address Translation Resolving Common NAT Problems
Advanced Technical Reference Guide 4.1 June 2000 25
If there is a VPN/FireWall module on the client side of the Internet, as follows:
Server-------FW-1-------Internet---------FW-1 ---------Client
You can use DST Static Address Translation, which will translate the illegal IP address of the server to it's legal
IP address.
For example, suppose that the server's illegal IP address is 10.0.0.1, and it's legal IP address is 197.3.5.10. In
this case, you would have the following address translation rule on the FireWall at the exit of the server's LAN:
Source Destination Service Source Destination Service
10.0.0.1 any any 197.3.5.10(s) any any
Any 197.3.5.10 any Any 10.0.0.1(s) any
In this case you'd need the following rule on the FireWall on the client side:
Source Destination Service Source Destination Service
Any 10.0.0.1 any Any 197.3.5.10(s) any
197.3.5.10 any any 10.0.0.1(s) any any
Then, the packet will travel the Internet with the legal IP address of the server, but both the client and the server
will see it with it's illegal address. Note that if the client's IP address is also illegal you would need to use dual
Address Translation.
See the SecureKnowledge Solution (ID 36.0.2437410.2512633) in the Check Point Technical Services site
Does the ident service work with Hide NAT?
Ident is not reliably supported when attempting to get identification information for IP addresses which are used
to FWXT_HIDE multiple computers.
See the SecureKnowledge Solution (ID 36.0.600194.2485190)) in the Check Point Technical Services site.
If the external IP address of the FireWall is an illegal address, can you
connect to it via SecuRemote?
The SecuRemote client will be unable to connect to the FireWall.
When there is an external NAT device between the FireWall and the Internet, and the external IP address of the
FireWall is not published, and the external NAT device is performing hide NAT, the packets issued by the
SecuRemote client cannot be routed by the Internet to the destination.
Cause: If the external IP address of the FireWall is not published, there is no way for the SecuRemote client to
find the FireWall.
See the SecureKnowledge Solution (ID 55.0.639947.2564039)) in the Check Point Technical Services site