NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] NAT Issue



Hi,
I suggest you check your firewall logs to see whether your incoming
packets do get dropped by the firewall before they are routed to the
internal interface
I could not see any rule which allows incoming connections to the public
IP of your internal machine.
On the other hand the order of operations of fw-1 (quote from PhoneBoy)
is 

1.Inbound anti-spoof check (verifies the source IP is included in the
interfaces "valid addresses" setting) 
2.Inbound check against the rulebase (includes properties) 
3.Routing by the OS 
4.Outbound anti-spoof check (verifies the destination IP is included in
the interfaces "valid addresses" setting) 
5.Outbound check against the rulebase (includes properties) 
6.Network Address Translation 

At #2 when the incoming packets are checked against the security policy
you should still have the destination IP address as being the public
(routable) one. 

Cristian





boenning wrote:
> 
> Hello,
> 
> I've trouble with NAT, it works just in one direction. This is the
> scenario:
> Behind the Firewall resides a routable Network. Now I've added a new
> Subnet to this
> network which is hidden class. The routing between the routable internal
> network and
> the hidden class network is done by a sun. Routing at all works fine. I
> could reach from
> the firewall a hidden machine and I can reach the firewall from the
> hidden machine.
> (Just added a route to the firewall which adds the route to the sun
> router for the
> hidden net and the sun router defaults to the firewall). Now I want to
> add NAT, so that
> one of the hidden machines could reach the internet and the internet
> could reach the hidden
> machine. This should be done by static NAT.
> I added a static arp entry for the valid IP with the hidden MAC.
> I added the object with real IP and static NAT to the valid IP.
> I added two rules with the object.
> (BTW I changed spoofing also to get things to work)
> 1.) hidden any any ...
> 2.) any hidden any
> 
> Any connection from the hidden machine to the outside works great (Just
> the way it should).
> But if I try to reach the machine from the outside I can't connect.
> I.e. Outside traffics works, inside not.
> I'v tried to track down the problem with snoop.
> I could verify that the outside packets reach the firewall. I even could
> verify that these
> packets reach the sun router, but the don't reach the hidden machine.
> Have I missed something on the firewall or does the problem belong to
> the sun router, cause
> the packets reachs the sun router. For both cases, any clue ?
> 
> TIA, Dirk.
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.