[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] NAT & User Auth
Hi, I curently have a test FW-1 system in the lab, between two networks. The firewall interfaces are 10.0.0.1/8 and 192.168.0.11/24. This is FW-1 4.1 SP1 running under NT. I have a rule in the rulebase which states: src dst service action grp-ss wks-ss-server http, ftp accept The group grp-ss, contains two network objects, which defines address ranges within the 10.0.0.0/8 subnet. wks-ss-server has IP address 192.168.0.100. There is also a single manual entry in the Address Translation policy, which hides the grp-ss subnets behind the address grp-ss-hide (192.168.0.80) src dest service src dst service grp-ss wks-ss-server any grp-ss-hide (H) =orig =orig This works exactly as expected, wks-ss-server sees traffic from the 'grp-ss' subnets originating from the grp-ss-hide address (192.168.0.80) If the action on the rule in the rulebase is changed to "User Auth", and user access is enabled, then NAT appears to not function as expected. (The manual Address Translation rule is still present). src dst service action users@grp-ss wks-ss-server http, ftp User Auth Users are correctly authenticated and allowed access to wks-ss-server, but traffic appears to originate from the IP address of the firewall (192.168.0.11) on the 192.168.0.0/24 subnet, and not the NAT hide address of 192.168.0.80 which would be expected. The log file show that the address translations are not occurring. Cheers, Matt -- Matthew Melbourne ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|