[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] NAT & User Auth
Matthew, Have you gotten an answer for this one yet? Well anyway, when using authentication or one of the security servers, the firewall will be the one making the connection, not the original station. IOW, the firewall will always originate the connection. The NAT rules will not be applied in this case, as you have found out. Robert - - Robert P. MacDonald, Network Engineer Team Lead, e-Business Infrastructure G o r d o n F o o d S e r v i c e Voice:email: [email protected] >>> Matthew Melbourne <[email protected]> 11/25/00 12:29:49 PM >>> > >Hi, > >I curently have a test FW-1 system in the lab, between two networks. The >firewall interfaces are 10.0.0.1/8 and 192.168.0.11/24. This is FW-1 4.1 SP1 >running under NT. > >I have a rule in the rulebase which states: > > src dst service action > > grp-ss wks-ss-server http, ftp accept > >The group grp-ss, contains two network objects, which defines address ranges >within the 10.0.0.0/8 subnet. wks-ss-server has IP address 192.168.0.100. > >There is also a single manual entry in the Address Translation policy, >which hides the grp-ss subnets behind the address grp-ss-hide (192.168.0.80) > > src dest service src dst service > > grp-ss wks-ss-server any grp-ss-hide (H) =orig =orig > >This works exactly as expected, wks-ss-server sees traffic from the >'grp-ss' subnets originating from the grp-ss-hide address (192.168.0.80) > >If the action on the rule in the rulebase is changed to "User Auth", >and user access is enabled, then NAT appears to not function as expected. >(The manual Address Translation rule is still present). > > src dst service action > > users@grp-ss wks-ss-server http, ftp User Auth > >Users are correctly authenticated and allowed access to wks-ss-server, but >traffic appears to originate from the IP address of the firewall (192.168.0.11) >on the 192.168.0.0/24 subnet, and not the NAT hide address of 192.168.0.80 >which would be expected. The log file show that the address translations >are not occurring. > >Cheers, > >Matt >-- >Matthew Melbourne ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|