Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Hiding multiple servers behind 1 IP address

To: [email protected] (Carl E. Mankinen), "Really Boring" <[email protected]>, [email protected], [email protected]
Subject: Re: [FW1] Hiding multiple servers behind 1 IP address
From: Todd Ginther <[email protected]>
Date: Wed, 11 Oct 2000 19:19:56 -0700 (PDT)
Cc: <[email protected]>
Reply-to: [email protected]
Sender: [email protected]

Thanks to ALL who responded to my original question.  I have gotten further but have not quite finished the race <grin>.

Below is just using one service as an example.

I now have NAT set up as such:

 ORIG
 Source     Destination     Service
 Any        abc.123.123.1   18000

 XLATED
 Source     Destination        Service
 Original   10.6.0.50(static)  1800

And Security Policy:

 Source  Destination    Service  Action  Install On
 Any     abc.123.123.1  1800     accept  abc.123.123.1

Executing 'fw log -tfn' and then telneting from an external machine to abc.123.123.1:1800 shows 'Accept', yet this telnet is rejected.  A packet trace show my test machine sending a SYN and then the firewall sending a ACK-RST right away (despite the 'Accept'!).

Any ideas??  Also, does NAT occur before the packet is passed off to the INSPECT engine to check against the security policy?

Thanks again for all of your comments.

Regards,

-Todd

--- [email protected] (Carl E. Mankinen)
> wrote:
>This is REALLY easy to do with FW-1.
>
>All you do is create a STATIC NAT rule with the proper settings.
>(actually two rules in NAT tab, and two in the rulebase)
>
>
>lets say your outside IP is 10.1.1.1 and you have two servers inside
>at 192.168.1.1 (ftp) and 192.168.1.2 (http)
>
>On the NAT tab,
>orig src = any
>orig dest = 10.1.1.1
>orig svc = ftp
>xlat src = any
>xlat dest = 102.168.1.1
>xlat svc = original
>
>orig src = any
>orig dest = 10.1.1.1
>orig svc = http
>xlat src = any
>xlat dest = 192.168.1.2
>xlat svc = original
>
>and then the obvious rulebase entries to allow packets to enter/leave various interfaces.
>
>I recommend NOT using your firewall-1 outside address for anything (except in case of implied rules)
>If you are using a single outside IP for everything, then you can't stealth the firewall as easily.
>
>Another problem is what if you want to have 2 ftp servers available from one outside IP?
>You could use normal ftp service settings and rules for one, but the other would require you to define
>some new service in FW1 and probably end up editing some .def/.C files to make the firewall treat
>this as an FTP connection on ports other than 21/20 etc..
>
>
>
>
>----- Original Message ----- 
>From: "Really Boring" <[email protected]>
>To: <[email protected]>; <[email protected]>
>Cc: <[email protected]>
>Sent: Thursday, October 05, 2000 3:05 PM
>Subject: Re: [FW1] Hiding multiple servers behind 1 IP address
>
>
>> 
>> Not quite - hide NAT only works if the traffic is originating from the 
>> "hidden" servers. Todd is trying to have 2 servers share the same IP address 
>> for traffic originating from the Internet, not for traffic originating from 
>> those 2 servers.
>> 
>> Check out http://www.phoneboy.com/fw1/faq/0022.html. By the way, I haven't 
>> tried it, so if it doesn't work, you're on your own :-)
>> 
>> -RB
>> 
>> >From: Jason Witty <[email protected]>
>> >To: [email protected]
>> >CC: [email protected]
>> >Subject: Re: [FW1] Hiding multiple servers behind 1 IP address
>> >Date: Thu, 05 Oct 2000 12:28:13 -0500
>> >
>> >
>> >It's called hide-mode NAT in FW-1.  An example NAT rule would look like
>> >this (obviously you need an access rule as well):
>> >
>> >ORIGINAL PACKET NATted PACKET
>> >SOURCE DEST SOURCE DEST
>> >internal-net ANY hide-addr ORIG
>> >
>> >Hope this helps.
>> >
>> >Jason
>> >
>> >Todd Ginther wrote:
>> > >
>> > > Hello All,
>> > >
>> > > I haven't seen a FW-1 solution to something that I currently do with 
>> >another firewall product - that is to be able to advertise a single IP out 
>> >to the world (firewall external interface) and have the firewall direct 
>> >inbound Internet traffic to different internal servers based soley on which 
>> >port the firewall gets hit on.
>> > >
>> > > Example:
>> > >
>> > >   -Advertised IP address is abc.123.123.1
>> > >
>> > >   -Traffic hits abc.123.123.1:18000 gets redirected
>> > >    to an internal server, machine alpha.
>> > >
>> > >   -Traffic hits abc.123.123.1:19500 gets redirected
>> > >    to a different internal server, machine beta.
>> > >
>> > > Any ideas?  I would prefer not to have to use up a bunch of IP's to do 
>> >one-to-one NAT.
>> > >
>> > > Thanks in advance, all!
>> > >
>> > > Regards,
>> > >
>> > > -Todd

_____________________________________________________________
Want a new web-based email account ? ---> http://www.firstlinux.net


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] bloomberg services
Next by Date: RE: [FW1] Upgrading from 4.0 to y2k
Previous by thread: RE: [FW1] bloomberg services
Next by thread: RE: [FW1] Re: Ace Server/FW1 Question
Index(es):
- Date
- Thread