hello,
I'm having a problem in replacing a Checkpoint firewall with a Netscreen. The diagram is as follows:
ISP (real ip 202.44.55.143) Router (10.0.0.5) (10.0.0.4) Firewall (192.168.1.1) Client (192.168.1.x)
Before the replacement, the firewall can perform the NAT so that the source IP from the client shall be in the real IP like 202.44.55.143 (using the Hide IP of the Checkpoint NAT option), and then it's being able to route outside.
After the replacement using Netscreen, it does the NAT using the IP address of the untrust interface 10.0.0.4, and hence, unroutable.
For the Netscreen, is there any kind of forcing the NAT to use the source IP of NAT-ed packets as using the 202.44.55.143? I've checked out the Netscreen documents that having a feature of DIP (or MIP whatsoever), but those DIP/MIP only allow me to set another IP that still within the subnet of the untrusted interface (so set to 10.0.0.8 is OK, 202.44.55.143 is not allowed)
The router is from the ISP and looks it's not NAT-ed, evidenced that by putting a notebook PC replacing the firewall like this, the PC is unable to connect outside.
ISP (real ip 202.44.55.xx) Router (10.0.0.5) (10.0.0.4) Notebook PC
There is another obvious solution that we scrap the ISP's router, and let the new Netscreen does the PPPoE, but there may be some political issue that I could't do it.
Thanks for any help!