[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Hiding multiple servers behind 1 IP address
Thanks to ALL who responded to my original question. I have gotten further but have not quite finished the race <grin>. Below is just using one service as an example. I now have NAT set up as such: ORIG Source Destination Service Any abc.123.123.1 18000 XLATED Source Destination Service Original 10.6.0.50(static) 1800 And Security Policy: Source Destination Service Action Install On Any abc.123.123.1 1800 accept abc.123.123.1 Executing 'fw log -tfn' and then telneting from an external machine to abc.123.123.1:1800 shows 'Accept', yet this telnet is rejected. A packet trace show my test machine sending a SYN and then the firewall sending a ACK-RST right away (despite the 'Accept'!). Any ideas?? Also, does NAT occur before the packet is passed off to the INSPECT engine to check against the security policy? Thanks again for all of your comments. Regards, -Todd --- [email protected] (Carl E. Mankinen) > wrote: >This is REALLY easy to do with FW-1. > >All you do is create a STATIC NAT rule with the proper settings. >(actually two rules in NAT tab, and two in the rulebase) > > >lets say your outside IP is 10.1.1.1 and you have two servers inside >at 192.168.1.1 (ftp) and 192.168.1.2 (http) > >On the NAT tab, >orig src = any >orig dest = 10.1.1.1 >orig svc = ftp >xlat src = any >xlat dest = 102.168.1.1 >xlat svc = original > >orig src = any >orig dest = 10.1.1.1 >orig svc = http >xlat src = any >xlat dest = 192.168.1.2 >xlat svc = original > >and then the obvious rulebase entries to allow packets to enter/leave various interfaces. > >I recommend NOT using your firewall-1 outside address for anything (except in case of implied rules) >If you are using a single outside IP for everything, then you can't stealth the firewall as easily. > >Another problem is what if you want to have 2 ftp servers available from one outside IP? >You could use normal ftp service settings and rules for one, but the other would require you to define >some new service in FW1 and probably end up editing some .def/.C files to make the firewall treat >this as an FTP connection on ports other than 21/20 etc.. > > > > >----- Original Message ----- >From: "Really Boring" <[email protected]> >To: <[email protected]>; <[email protected]> >Cc: <[email protected]> >Sent: Thursday, October 05, 2000 3:05 PM >Subject: Re: [FW1] Hiding multiple servers behind 1 IP address > > >> >> Not quite - hide NAT only works if the traffic is originating from the >> "hidden" servers. Todd is trying to have 2 servers share the same IP address >> for traffic originating from the Internet, not for traffic originating from >> those 2 servers. >> >> Check out http://www.phoneboy.com/fw1/faq/0022.html. By the way, I haven't >> tried it, so if it doesn't work, you're on your own :-) >> >> -RB >> >> >From: Jason Witty <[email protected]> >> >To: [email protected] >> >CC: [email protected] >> >Subject: Re: [FW1] Hiding multiple servers behind 1 IP address >> >Date: Thu, 05 Oct 2000 12:28:13 -0500 >> > >> > >> >It's called hide-mode NAT in FW-1. An example NAT rule would look like >> >this (obviously you need an access rule as well): >> > >> >ORIGINAL PACKET NATted PACKET >> >SOURCE DEST SOURCE DEST >> >internal-net ANY hide-addr ORIG >> > >> >Hope this helps. >> > >> >Jason >> > >> >Todd Ginther wrote: >> > > >> > > Hello All, >> > > >> > > I haven't seen a FW-1 solution to something that I currently do with >> >another firewall product - that is to be able to advertise a single IP out >> >to the world (firewall external interface) and have the firewall direct >> >inbound Internet traffic to different internal servers based soley on which >> >port the firewall gets hit on. >> > > >> > > Example: >> > > >> > > -Advertised IP address is abc.123.123.1 >> > > >> > > -Traffic hits abc.123.123.1:18000 gets redirected >> > > to an internal server, machine alpha. >> > > >> > > -Traffic hits abc.123.123.1:19500 gets redirected >> > > to a different internal server, machine beta. >> > > >> > > Any ideas? I would prefer not to have to use up a bunch of IP's to do >> >one-to-one NAT. >> > > >> > > Thanks in advance, all! >> > > >> > > Regards, >> > > >> > > -Todd _____________________________________________________________ Want a new web-based email account ? ---> http://www.firstlinux.net ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|