Checkpoint Problem

I have a public IP mapped to two different hosts behind the firewall. One
of these works, and the second one is not seen by the firewall log at all.
I'm hoping someone has some ideas on possible causes.

Let there be a public IP. The firewall rules say that some machines can
connect to this IP on service A and another group of machines can connect on
service B.

The public IP is entered in the routing table to move the packet to a router
inside that knows how to get to the two destination subnets.

The NAT rules convert the public IP when the service is A to an IP on an
internal host. That works. The NAT rule below it converts the public IP
when the service is B to a different IP on an internal host. Both of
those internal hosts are directly connected to the router that the routing
rule sends the packet to.

I put a sniffer on the external interface of the firewall, and I clearly see
the incoming SYN to the public IP on the destination port for service B.
But the firewall log shows *nothing*. No rule is ever invoked. What
would this indicate?

Is incoming FTP handled in some special way by Checkpoint?

--
Will

Re: Checkpoint Problem

Will wrote:
: I have a public IP mapped to two different hosts behind the firewall. One
: of these works, and the second one is not seen by the firewall log at all.
: I'm hoping someone has some ideas on possible causes.

: Let there be a public IP. The firewall rules say that some machines can
: connect to this IP on service A and another group of machines can connect on
: service B.

What version of Checkpoint firewall is this? Have you enabled "Translate
destination on client side"?

More on all NAT settings here:
http://www.checkpoint.com/services/education/training/sample s/admin1_ngx_sample.pdf

Lars