Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] NAT & User Auth

To: <[email protected]>, <[email protected]>
Subject: Re: [FW1] NAT & User Auth
From: "Robert MacDonald" <[email protected]>
Date: Tue, 28 Nov 2000 23:12:36 -0500
Sender: [email protected]

Matthew,

Have you gotten an answer for this one yet?

Well anyway, when using authentication or
one of the security servers, the firewall will
be the one making the connection, not the
original station. IOW, the firewall will always
originate the connection. The NAT rules will
not be applied in this case, as you have found
out.

Robert

- -
Robert P. MacDonald, Network Engineer
Team Lead, e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice:email: [email protected]

>>> Matthew Melbourne <[email protected]> 11/25/00 12:29:49 PM >>>
>
>Hi,
>
>I curently have a test FW-1 system in the lab, between two networks. The
>firewall interfaces are 10.0.0.1/8 and 192.168.0.11/24. This is FW-1 4.1 SP1
>running under NT.
>
>I have a rule in the rulebase which states:
>
> src            dst             service         action
>
> grp-ss         wks-ss-server   http, ftp       accept
>
>The group grp-ss, contains two network objects, which defines address ranges
>within the 10.0.0.0/8 subnet. wks-ss-server has IP address 192.168.0.100.
>
>There is also a single manual entry in the Address Translation policy,
>which hides the grp-ss subnets behind the address grp-ss-hide (192.168.0.80)
>
> src            dest            service         src             dst     service
>
> grp-ss         wks-ss-server   any             grp-ss-hide (H) =orig   =orig
>
>This works exactly as expected, wks-ss-server sees traffic from the
>'grp-ss' subnets originating from the grp-ss-hide address (192.168.0.80)
>
>If the action on the rule in the rulebase is changed to "User Auth", 
>and user access is enabled, then NAT appears to not function as expected. 
>(The manual Address Translation rule is still present).
>
> src            dst             service         action
>
> users@grp-ss   wks-ss-server   http, ftp       User Auth
>
>Users are correctly authenticated and allowed access to wks-ss-server, but
>traffic appears to originate from the IP address of the firewall (192.168.0.11)
>on the 192.168.0.0/24 subnet, and not the NAT hide address of 192.168.0.80 
>which would be expected. The log file show that the address translations
>are not occurring.
>
>Cheers,
>
>Matt
>-- 
>Matthew Melbourne





================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] Securemote 4118 DES and FW-1 SP2 3DES
Next by Date: [FW1] Properties settings in a plain vanilla FW-1 4.1 SP2 installation
Previous by thread: [FW1] NAT & User Auth
Next by thread: RE: [FW1] SecureRemote and WinME
Index(es):
- Date
- Thread