Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Hiding multiple servers behind 1 IP address

To: "Really Boring" <[email protected]>, <[email protected]>, <[email protected]>
Subject: Re: [FW1] Hiding multiple servers behind 1 IP address
From: [email protected] (Carl E. Mankinen)
Date: Thu, 5 Oct 2000 16:02:50 -0400
Cc: <[email protected]>
References: <[email protected]>
Sender: [email protected]

This is REALLY easy to do with FW-1.

All you do is create a STATIC NAT rule with the proper settings.
(actually two rules in NAT tab, and two in the rulebase)


lets say your outside IP is 10.1.1.1 and you have two servers inside
at 192.168.1.1 (ftp) and 192.168.1.2 (http)

On the NAT tab,
orig src = any
orig dest = 10.1.1.1
orig svc = ftp
xlat src = any
xlat dest = 102.168.1.1
xlat svc = original

orig src = any
orig dest = 10.1.1.1
orig svc = http
xlat src = any
xlat dest = 192.168.1.2
xlat svc = original

and then the obvious rulebase entries to allow packets to enter/leave various interfaces.

I recommend NOT using your firewall-1 outside address for anything (except in case of implied rules)
If you are using a single outside IP for everything, then you can't stealth the firewall as easily.

Another problem is what if you want to have 2 ftp servers available from one outside IP?
You could use normal ftp service settings and rules for one, but the other would require you to define
some new service in FW1 and probably end up editing some .def/.C files to make the firewall treat
this as an FTP connection on ports other than 21/20 etc..




----- Original Message ----- 
From: "Really Boring" <[email protected]>
To: <[email protected]>; <[email protected]>
Cc: <[email protected]>
Sent: Thursday, October 05, 2000 3:05 PM
Subject: Re: [FW1] Hiding multiple servers behind 1 IP address


> 
> Not quite - hide NAT only works if the traffic is originating from the 
> "hidden" servers. Todd is trying to have 2 servers share the same IP address 
> for traffic originating from the Internet, not for traffic originating from 
> those 2 servers.
> 
> Check out http://www.phoneboy.com/fw1/faq/0022.html. By the way, I haven't 
> tried it, so if it doesn't work, you're on your own :-)
> 
> -RB
> 
> >From: Jason Witty <[email protected]>
> >To: [email protected]
> >CC: [email protected]
> >Subject: Re: [FW1] Hiding multiple servers behind 1 IP address
> >Date: Thu, 05 Oct 2000 12:28:13 -0500
> >
> >
> >It's called hide-mode NAT in FW-1.  An example NAT rule would look like
> >this (obviously you need an access rule as well):
> >
> >ORIGINAL PACKET NATted PACKET
> >SOURCE DEST SOURCE DEST
> >internal-net ANY hide-addr ORIG
> >
> >Hope this helps.
> >
> >Jason
> >
> >Todd Ginther wrote:
> > >
> > > Hello All,
> > >
> > > I haven't seen a FW-1 solution to something that I currently do with 
> >another firewall product - that is to be able to advertise a single IP out 
> >to the world (firewall external interface) and have the firewall direct 
> >inbound Internet traffic to different internal servers based soley on which 
> >port the firewall gets hit on.
> > >
> > > Example:
> > >
> > >   -Advertised IP address is abc.123.123.1
> > >
> > >   -Traffic hits abc.123.123.1:18000 gets redirected
> > >    to an internal server, machine alpha.
> > >
> > >   -Traffic hits abc.123.123.1:19500 gets redirected
> > >    to a different internal server, machine beta.
> > >
> > > Any ideas?  I would prefer not to have to use up a bunch of IP's to do 
> >one-to-one NAT.
> > >
> > > Thanks in advance, all!
> > >
> > > Regards,
> > >
> > > -Todd
> > >
> > > _____________________________________________________________
> > > Want a new web-based email account ? ---> http://www.firstlinux.net
> > >
> > > 
> >================================================================================
> > >      To unsubscribe from this mailing list, please see the instructions 
> >at
> > >                http://www.checkpoint.com/services/mailing.html
> > > 
> >================================================================================
> >
> >
> >================================================================================
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> >================================================================================
> 
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> Share information about yourself, create your own public profile at 
> http://profiles.msn.com.
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW1] Hiding multiple servers behind 1 IP address
  - From: "Really Boring" <[email protected]>

Prev by Date: Re: [FW1] VRRP Multicast over a VLAN
Next by Date: [FW1] HP Openview DCE RPC Security Concerns
Previous by thread: Re: [FW1] Hiding multiple servers behind 1 IP address
Next by thread: RE: [FW1] Hiding multiple servers behind 1 IP address
Index(es):
- Date
- Thread