|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] AW: [FW1] Anti-Spoofing Configuration
Daniel: your description is completely correct. But there are, in fact, issues where you would like to use the scenario that John descibed. We faced this problem too when we were trying to contact our webservers through the proxy chain and we didn't want to change the proxystructure or to have different DNS entries internal and external. As a result the proxy wasn't able to contact the webservers directly because it received answeres from different IP that it contacted. Our workaround was to NAT both, the source AND the destination. This means: write your NAT rules in a way that a request from '10.0.0.1' to '192.168.0.2' is being NATed to a request from (lets say) 'external_ISP_router' to '10.0.0.2'. In this case the destination will get a request from a system that seems not to be reachable on its local subnet. It will thus send its reply back to its defaultgateway (the firewall) which will NAT it back to a reply from '192.168.0.2' to '10.0.0.1'. It works fine! Hope you got the meaning of my weird wording ;-) with kind regards, Bernd Fritzsche - Netzwerktechnik / FIT-CN2 --- Heidelberger Druckmaschinen AG - Gutenbergstr. 2 - D-69168 Wiesloch POTS(Fax)+49 6222 82 2845(3440) / [email protected] > -----Ursprüngliche Nachricht----- > Von: Gaughan, Daniel [mailto:[email protected]] > Gesendet am: Mittwoch, 6. Dezember 2000 22:56 > An: 'Dan Hitchcock'; 'John Delano'; > [email protected] > Betreff: RE: [FW1] Anti-Spoofing Configuration > > > Agree with the internal DNS. > > As for why it doesn't work: > > Assume hostA is on net1 at 10.0.0.1 > hostB is on net1 at 10.0.0.2 NAT via FW to 192.168.0.2 > > Now hostA tries to send a packet to hostB via > 192.168.0.2. The packet > travels to the firewall and imagine the firewall accepts it > and translates > it back to hostB at 10.0.0.2. Now what hostB sees is a > request from hostA at > 10.0.0.1, how will it respond? Directly to hostA with source > 10.0.0.2 and > destination 10.0.0.1. HostA is looking for a reply from > 192.168.0.2 and > never asked for anything from 10.0.0.2 and so rejects the reply. > > I haven't verified any of the actual packets, but I know it > isn't worth even > trying to get that to work. Just use local dns servers and > all the traffic > goes smooth. > > Daniel Gaughan > > -----Original Message----- > From: Dan Hitchcock [mailto:[email protected]] > Sent: Wednesday, December 06, 2000 3:55 PM > To: 'John Delano'; [email protected] > Subject: RE: [FW1] Anti-Spoofing Configuration > > > > I assume you're talking about an external NAT on the > firewall, such that the > packet would need to "bounce off" the firewall and come back > in on the NAT'd > address. > > If so, I have never ever seen this work either. I've tested > on Checkpoint, > Watchguard, and PIX, all with the same result. I suspect it > has to do with > the asymmetry of a hide-mode outbound NAT coming back in > through a different > address, such that the firewall can't match it in the state table. > > We work around the issue by creating internal DNS entries to > go straight at > the resources we need. > > Anyone have a better/more accurate/more thorough explanation? > > Dan Hitchcock > CCNA, MCSE > Network Engineer > Xylo, Inc. >> The work/life solution for corporate thought leaders > > > -----Original Message----- > From: John Delano [mailto:[email protected]] > Sent: Wednesday, December 06, 2000 9:18 AM > To: [email protected] > Subject: [FW1] Anti-Spoofing Configuration > > > > From my internal network, if I try to connect to a device on the same > internal network using the NATed address, it does not work. > I have followed > rules on phoneboy regarding this issue, but have had no success. This > applies to my web server and my mail server. Has anyone > dealt with this > problem, or can offer any other suggestions? > > Regards, > > John Delano > > > > ============================================================== > ============== > ==== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ============== > ==== > > > ============================================================== > ============== > ==== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ============== > ==== > > > ============================================================== > ================== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ================== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
