NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Anti-Spoofing Configuration



Agree with the internal DNS.

As for why it doesn't work:

 Assume hostA is on net1 at 10.0.0.1
        hostB is on net1 at 10.0.0.2 NAT via FW to 192.168.0.2

    Now hostA tries to send a packet to hostB via 192.168.0.2. The packet
travels to the firewall and imagine the firewall accepts it and translates
it back to hostB at 10.0.0.2. Now what hostB sees is a request from hostA at
10.0.0.1, how will it respond? Directly to hostA with source 10.0.0.2 and
destination 10.0.0.1. HostA is looking for a reply from 192.168.0.2 and
never asked for anything from 10.0.0.2 and so rejects the reply.

I haven't verified any of the actual packets, but I know it isn't worth even
trying to get that to work. Just use local dns servers and all the traffic
goes smooth.

Daniel Gaughan

-----Original Message-----
From: Dan Hitchcock [mailto:[email protected]]
Sent: Wednesday, December 06, 2000 3:55 PM
To: 'John Delano'; [email protected]
Subject: RE: [FW1] Anti-Spoofing Configuration



I assume you're talking about an external NAT on the firewall, such that the
packet would need to "bounce off" the firewall and come back in on the NAT'd
address.

If so, I have never ever seen this work either.  I've tested on Checkpoint,
Watchguard, and PIX, all with the same result.  I suspect it has to do with
the asymmetry of a hide-mode outbound NAT coming back in through a different
address, such that the firewall can't match it in the state table.

We work around the issue by creating internal DNS entries to go straight at
the resources we need.

Anyone have a better/more accurate/more thorough explanation?

Dan Hitchcock
CCNA, MCSE
Network Engineer
Xylo, Inc.The work/life solution for corporate thought leaders


-----Original Message-----
From: John Delano [mailto:[email protected]]
Sent: Wednesday, December 06, 2000 9:18 AM
To: [email protected]
Subject: [FW1] Anti-Spoofing Configuration



>From my internal network, if I try to connect to a device on the same
internal network using the NATed address, it does not work.  I have followed
rules on phoneboy regarding this issue, but have had no success.  This
applies to my web server and my mail server.  Has anyone dealt with this
problem, or can offer any other suggestions?

Regards,  

John Delano



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.