Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address

To: <[email protected]>
Subject: Re: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
From: [email protected] (Carl E. Mankinen)
Date: Fri, 6 Oct 2000 15:33:14 -0400
References: <EA466191D9C8D31195AC00E0291432C6D7E523@HALE-BOPP>
Sender: [email protected]

heh, the reason the nat rule says that it is a static rule is because IT IS.
I think there might be some misunderstanding here. Whether HIDE or STATIC NAT
is used has nothing to do with addressing. It just specifies what type of address translation
is being performed. In static, there is no PAT performed unless you specify.
In hide, what is really happening is NAT+PAT.

If you have a rule in the NAT tab that says it's doing static NAT, that's what it is doing
regardless of what you think you may have set on the network object.

btw, the "automatic nat" settings on the object tabs are pretty much useless.
Everyone I know with complicated NAT setups just manually builds them in the NAT rulebase.

----- Original Message ----- 
From: "Doug Schmidt" <[email protected]>
To: "'Frank Knobbe'" <[email protected]>; <[email protected]>; <[email protected]>
Sent: Friday, October 06, 2000 2:05 PM
Subject: RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address


> 
> Interesting...I called CP support a few weeks back, looking to do this exact
> same thing.
> Basically support told me it could not be done, because of the static routes
> in the firewall. The support folk even left me on hold while he talked with
> the "Senior" Engineer.
> 
> 
> 
> -----Original Message-----
> From: Frank Knobbe [mailto:[email protected]]
> Sent: Thursday, October 05, 2000 7:55 PM
> To: '[email protected]';
> [email protected]
> Subject: RE: [FW1] Port-sensitive redirection to multiple servers using
> on e single Hide-NAT address
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Sure you can do this with FW-1. I'm doing it right now. It's only
> possible due to the state tables tracking ability. Here is how you do
> it:
> 
> Create an object FTPserver with a HIDE NAT address of 123.45.67.89.
> Create an object HTTPserver with a HIDE NAT address of 123.45.67.89.
> Create an object OtherServer with a STATIC NAT address of
> 123.45.67.89.
> Create an object Server-Ext with an IP address of 1234.45.67.89.
> 
> Define your rules like:
> 
> Any - Server-Ext - FTP - Allow
> Any - Server-Ext - HTTP - Allow
> (etc)
> 
> Then add Translation rules on top of the NAT table like this:
> 
> Any - Server-Ext - FTP -to- Original - FTPServer - Original
> Any - Server-Ext - HTTP -to- Original - HTTPServer - Original
> 
> Note that FTPserver and HTTPserver will show an S for static NAT
> although it is a hide NAT object.
> 
> Request to HTTP will be redirected to HTTPserver, request for FTP to
> FTPserver. Any other incoming port goes to OtherServer.
> 
> When HTTPserver needs to originate a packet (in my case, I use a
> redirected port for SMTP).... let's take FTP. If the FTPserver needs
> to originate a packet, it will be translated to the same IP address
> (.89). However, FW-1 will not in its state table where the connection
> was coming from, so return packets for that connection do indeed hit
> FTPserver and not OtherServer.
> 
> Hope this help (to put an end to the port translation/redirection
> debate...)
> 
> Regards,
> Frank
> 
> PS: Don't forget the proxy arp entry in the local.arp file, and to
> add a route (pointing to OtherServer).
> 
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]]
> > Sent: Thursday, October 05, 2000 1:06 PM
> > 
> > 
> > I think you CAN do this with FW-1/VPN-1 . . .
> > 
> > ie:
> > 
> > you have one address: 123.45.67.89
> > 
> > and you want to route it to a server based on the service, or 
> > what port it hits:
> > 
> > ie:
> > 
> > 123.45.67.89:21 goes to the FTP server
> > 
> > 123.45.67.89:80 goes to the http server
> > 
> > 123.45.67.89.90:9091 goes to a <custom service> server.
> > 
> > 
> > Instead of applying global Address Translation rules (which 
> > would require a
> > separate hide-mode NAT address for each server),
> > apply the NATing to each object. You can have multiple 
> > objects NATted to the
> > same address.
> > 
> > ie: when you create the network object that uses port 9091 
> > (remember, you can
> > define a custom service), add the NAT to the object.
> > Do this for each object that hides behind the same shared address.
> > 
> > Then create rules to direct the service to each server (ANY, 
> > WebServer, http,
> > accept, log), (ANY, FTP_Server, ftp, authenticate, log), 
> > (ANY, Your_Server,
> > <custom_9091>, accept, log), etc.
> > 
> > This way, if a service hits a particular port, it will be 
> > accepted by the
> > corresponding rule, as it goes down the list of rules until 
> > it gets to one that
> > accepts it.
> > If none of the rules apply, it gets dropped and logged by 
> > your cleanup rule.
> > 
> > Alternately, I believe the Address Translation rules are 
> > applied in sequential
> > order, so they may be executed in order. So you could have a 
> > NAT rule for the
> > workstations, then for the FTP server, the webserver, the 
> > mailserver, and filter
> > all the way down. I'd like to to test this and see if it does 
> > work sequentially.
> > If so, each NAT rule can be service-sensitive and send the 
> > service to the
> > appropriate server.
> > 
> > 
> > 
> > 
> > 
> > 
> > ==============================================================
> > ==================
> >      To unsubscribe from this mailing list, please see the 
> > instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > ==============================================================
> > ==================
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME encrypted email preferred.
> 
> iQA/AwUBOd0U4URKym0LjhFcEQLPAQCgkPrmlYY4esawkbkCkdqPzC9CVG8AoLIU
> 6od8zHrCcgWFFqlf/vTrxHQu
> =pb4p
> -----END PGP SIGNATURE-----
> 
> 
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
  - From: Doug Schmidt <[email protected]>

Prev by Date: RE: [FW1] PPTP problem
Next by Date: Re: [FW1] Suddenly can not access to internet
Previous by thread: RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
Next by thread: RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
Index(es):
- Date
- Thread