Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address

To: "'Frank Knobbe'" <[email protected]>, "'[email protected]'" <[email protected]>, [email protected]
Subject: RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
From: Doug Schmidt <[email protected]>
Date: Fri, 6 Oct 2000 14:05:48 -0400
Sender: [email protected]

Interesting...I called CP support a few weeks back, looking to do this exact
same thing.
Basically support told me it could not be done, because of the static routes
in the firewall. The support folk even left me on hold while he talked with
the "Senior" Engineer.



-----Original Message-----
From: Frank Knobbe [mailto:[email protected]]
Sent: Thursday, October 05, 2000 7:55 PM
To: '[email protected]';
[email protected]
Subject: RE: [FW1] Port-sensitive redirection to multiple servers using
on e single Hide-NAT address



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sure you can do this with FW-1. I'm doing it right now. It's only
possible due to the state tables tracking ability. Here is how you do
it:

Create an object FTPserver with a HIDE NAT address of 123.45.67.89.
Create an object HTTPserver with a HIDE NAT address of 123.45.67.89.
Create an object OtherServer with a STATIC NAT address of
123.45.67.89.
Create an object Server-Ext with an IP address of 1234.45.67.89.

Define your rules like:

Any - Server-Ext - FTP - Allow
Any - Server-Ext - HTTP - Allow
(etc)

Then add Translation rules on top of the NAT table like this:

Any - Server-Ext - FTP -to- Original - FTPServer - Original
Any - Server-Ext - HTTP -to- Original - HTTPServer - Original

Note that FTPserver and HTTPserver will show an S for static NAT
although it is a hide NAT object.

Request to HTTP will be redirected to HTTPserver, request for FTP to
FTPserver. Any other incoming port goes to OtherServer.

When HTTPserver needs to originate a packet (in my case, I use a
redirected port for SMTP).... let's take FTP. If the FTPserver needs
to originate a packet, it will be translated to the same IP address
(.89). However, FW-1 will not in its state table where the connection
was coming from, so return packets for that connection do indeed hit
FTPserver and not OtherServer.

Hope this help (to put an end to the port translation/redirection
debate...)

Regards,
Frank

PS: Don't forget the proxy arp entry in the local.arp file, and to
add a route (pointing to OtherServer).

> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Thursday, October 05, 2000 1:06 PM
> 
> 
> I think you CAN do this with FW-1/VPN-1 . . .
> 
> ie:
> 
> you have one address: 123.45.67.89
> 
> and you want to route it to a server based on the service, or 
> what port it hits:
> 
> ie:
> 
> 123.45.67.89:21 goes to the FTP server
> 
> 123.45.67.89:80 goes to the http server
> 
> 123.45.67.89.90:9091 goes to a <custom service> server.
> 
> 
> Instead of applying global Address Translation rules (which 
> would require a
> separate hide-mode NAT address for each server),
> apply the NATing to each object. You can have multiple 
> objects NATted to the
> same address.
> 
> ie: when you create the network object that uses port 9091 
> (remember, you can
> define a custom service), add the NAT to the object.
> Do this for each object that hides behind the same shared address.
> 
> Then create rules to direct the service to each server (ANY, 
> WebServer, http,
> accept, log), (ANY, FTP_Server, ftp, authenticate, log), 
> (ANY, Your_Server,
> <custom_9091>, accept, log), etc.
> 
> This way, if a service hits a particular port, it will be 
> accepted by the
> corresponding rule, as it goes down the list of rules until 
> it gets to one that
> accepts it.
> If none of the rules apply, it gets dropped and logged by 
> your cleanup rule.
> 
> Alternately, I believe the Address Translation rules are 
> applied in sequential
> order, so they may be executed in order. So you could have a 
> NAT rule for the
> workstations, then for the FTP server, the webserver, the 
> mailserver, and filter
> all the way down. I'd like to to test this and see if it does 
> work sequentially.
> If so, each NAT rule can be service-sensitive and send the 
> service to the
> appropriate server.
> 
> 
> 
> 
> 
> 
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOd0U4URKym0LjhFcEQLPAQCgkPrmlYY4esawkbkCkdqPzC9CVG8AoLIU
6od8zHrCcgWFFqlf/vTrxHQu
=pb4p
-----END PGP SIGNATURE-----


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
  - From: [email protected] (Carl E. Mankinen)

Prev by Date: [FW1] PPTP problem
Next by Date: [FW1] FW1 Session Auth exploit (fwd)
Previous by thread: RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
Next by thread: Re: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
Index(es):
- Date
- Thread