Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address

To: [email protected]
Subject: RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
From: [email protected]
Date: Thu, 5 Oct 2000 21:42:26 -0400
Cc: [email protected]
Sender: [email protected]

Dgianna,

If you perform this, then what is the static route on the gateway going to
look like when the destination packet is destined for 4 or 5 physical
servers?

Thomas Poole

-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Thursday, October 05, 2000 2:06 PM
To: [email protected]
Subject: [FW1] Port-sensitive redirection to multiple servers using one
single Hide-NAT address







I think you CAN do this with FW-1/VPN-1 . . .

ie:

you have one address: 123.45.67.89

and you want to route it to a server based on the service, or what port it
hits:

ie:

123.45.67.89:21 goes to the FTP server

123.45.67.89:80 goes to the http server

123.45.67.89.90:9091 goes to a <custom service> server.


Instead of applying global Address Translation rules (which would require a
separate hide-mode NAT address for each server),
apply the NATing to each object. You can have multiple objects NATted to the
same address.

ie: when you create the network object that uses port 9091 (remember, you
can
define a custom service), add the NAT to the object.
Do this for each object that hides behind the same shared address.

Then create rules to direct the service to each server (ANY, WebServer,
http,
accept, log), (ANY, FTP_Server, ftp, authenticate, log), (ANY, Your_Server,
<custom_9091>, accept, log), etc.

This way, if a service hits a particular port, it will be accepted by the
corresponding rule, as it goes down the list of rules until it gets to one
that
accepts it.
If none of the rules apply, it gets dropped and logged by your cleanup rule.

Alternately, I believe the Address Translation rules are applied in
sequential
order, so they may be executed in order. So you could have a NAT rule for
the
workstations, then for the FTP server, the webserver, the mailserver, and
filter
all the way down. I'd like to to test this and see if it does work
sequentially.
If so, each NAT rule can be service-sensitive and send the service to the
appropriate server.






============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] where do I get sp5?
Next by Date: [FW1] OT - www.abc.com or abc.com
Previous by thread: RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
Next by thread: [FW1] OT - www.abc.com or abc.com
Index(es):
- Date
- Thread