| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] NAT & User Auth
Hi,
I curently have a test FW-1 system in the lab, between two networks. The
firewall interfaces are 10.0.0.1/8 and 192.168.0.11/24. This is FW-1 4.1 SP1
running under NT.
I have a rule in the rulebase which states:
src dst service action
grp-ss wks-ss-server http, ftp accept
The group grp-ss, contains two network objects, which defines address ranges
within the 10.0.0.0/8 subnet. wks-ss-server has IP address 192.168.0.100.
There is also a single manual entry in the Address Translation policy,
which hides the grp-ss subnets behind the address grp-ss-hide (192.168.0.80)
src dest service src dst service
grp-ss wks-ss-server any grp-ss-hide (H) =orig =orig
This works exactly as expected, wks-ss-server sees traffic from the
'grp-ss' subnets originating from the grp-ss-hide address (192.168.0.80)
If the action on the rule in the rulebase is changed to "User Auth",
and user access is enabled, then NAT appears to not function as expected.
(The manual Address Translation rule is still present).
src dst service action
users@grp-ss wks-ss-server http, ftp User Auth
Users are correctly authenticated and allowed access to wks-ss-server, but
traffic appears to originate from the IP address of the firewall (192.168.0.11)
on the 192.168.0.0/24 subnet, and not the NAT hide address of 192.168.0.80
which would be expected. The log file show that the address translations
are not occurring.
Cheers,
Matt
--
Matthew Melbourne
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
