Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address

To: "'Doug Schmidt'" <[email protected]>, [email protected]
Subject: RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
From: Frank Knobbe <[email protected]>
Date: Fri, 6 Oct 2000 13:15:01 -0500
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well... I bet it is 'not supported' and for that reason 'not
possible', but it does work. At least on FW-1 4.0 SP4 with NT 4.0
SP6a (haven't tried FW-1 4.1 yet, but I imagine it will work on a 4.1
as well since there aren't that many changes to the way the state
table handles traffic).

Regards,
Frank

> -----Original Message-----
> From: Doug Schmidt [mailto:[email protected]]
> Sent: Friday, October 06, 2000 1:06 PM
> 
> Interesting...I called CP support a few weeks back, looking 
> to do this exact
> same thing.
> Basically support told me it could not be done, because of 
> the static routes
> in the firewall. The support folk even left me on hold while 
> he talked with
> the "Senior" Engineer.
> 
> 
> 
> -----Original Message-----
> From: Frank Knobbe [mailto:[email protected]]
> Sent: Thursday, October 05, 2000 7:55 PM
> 
> Sure you can do this with FW-1. I'm doing it right now. It's only
> possible due to the state tables tracking ability. Here is how you
> do it:  
> 
> Create an object FTPserver with a HIDE NAT address of 123.45.67.89.
> Create an object HTTPserver with a HIDE NAT address of
> 123.45.67.89. Create an object OtherServer with a STATIC NAT
> address of 123.45.67.89. Create an object Server-Ext with an IP
> address of 1234.45.67.89.  
> 
> Define your rules like:
> 
> Any - Server-Ext - FTP - Allow
> Any - Server-Ext - HTTP - Allow
> (etc)
> 
> Then add Translation rules on top of the NAT table like this:
> 
> Any - Server-Ext - FTP -to- Original - FTPServer - Original
> Any - Server-Ext - HTTP -to- Original - HTTPServer - Original
> 
> Note that FTPserver and HTTPserver will show an S for static NAT
> although it is a hide NAT object.
> 
> Request to HTTP will be redirected to HTTPserver, request for FTP
> to FTPserver. Any other incoming port goes to OtherServer.  
> 
> When HTTPserver needs to originate a packet (in my case, I use a
> redirected port for SMTP).... let's take FTP. If the FTPserver
> needs to originate a packet, it will be translated to the same IP
> address (.89). However, FW-1 will not in its state table where the
> connection was coming from, so return packets for that connection
> do indeed hit FTPserver and not OtherServer.  
> 
> Hope this help (to put an end to the port translation/redirection
> debate...)
> 
> Regards,
> Frank
> 
> PS: Don't forget the proxy arp entry in the local.arp file, and to
> add a route (pointing to OtherServer).

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOd4WpURKym0LjhFcEQLD9QCdE/2xaUJRwLZM6iFnD4YWbhAqUssAoLxa
qsZJIIeP28VmqLpXz5ocV3Df
=37rV
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] NAT across a VPN - brain teaser challenge - read carefu lly
Next by Date: RE: [FW1] (Might be a off topic Q) Can I run Check Point 2000 on. ..
Previous by thread: Re: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
Next by thread: [FW1] VLAN-Checkpoint
Index(es):
- Date
- Thread