NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Problem with NAT



On Tue, Dec 19, 2000 at 07:30:14PM -0600, Martin H Hoz-Salvador wrote:
>
> > > > On IP440 with CP FW-1 4.0 SP5 I have hidded all intranet addresses, but 
> > > > sometimes quite seldom some addresses are not hidden.  Could anybody comment it ?
> > >
> > > Duh? I guess you have your intranet addresses NATted... :-) If so, what
> > > do you mean with "sometimes some addresses ar not hidden"??? Do you mean
> > > that internal IP's are accesible from outside? Do you mean internal
> > > addresses can reach external networks?
> > 
> > I mean that internal addresses can reach external network. But not 
> > always, just sometimes randomly and quite seldom.  I have Dynamic NAT 
> > (many IP's use one valid IP address to do NAT).
> 
> I'm sorry, and I can look like a stupid... but I can't see the error: If you
> have NAT, then your internal IP's should be able to reach external networks:
> That's why you want to setup NAT.

Thank You, Martin,

My goal is that my LAN ip-addresses are hidden and from outside is seen only gateway ip-aadress. I have been setup NAT so:
----------------------------------------------------------------------
|  Original Packet         |   Translated Packet           |Install on|
------------------------------------------------------------          -
|  Source      |Dest.|Serv.| Source  |Destinat. |Service   |          |
-----------------------------------------------------------------------
| LAN_machines | Any | Any | gateway | Original | original |  Gateway |
-----------------------------------------------------------------------

But the problem is that sometimes with some services the LAN_machines are seen from outside.

---
Regards,
Ahti Akel
 
> Which services are you able to reach from your internal machines? are you
> able to ping? can you use a web browser? can you telnet? This could be a
> routing
> problem... but I'm not sure... Do you have invalid addresses internally? (I 
> mean 10.* , 192.168.* or so...) 
> 
> 
> Theorically, If you want to deny all traffic from internal network, simply 
> allow the traffic you want to pass your firewall: FW-1 uses philosophy 
> "things don't expressly allowed are forbidden". 
> 
> If you are able to access external net, theorically you should have:
> - A proxy server allowed by firewall to reach external NET (with NAT or a 
> 	simple "allow rule").
> - A "NAT server". This could be a router, a firewall or something.
> - If you have valid IP addresses in your internal network, an "allow" rule
> 
> Another possible issue: Do you have "smart" users that can try to bypass
> firewall using another router as default or some trick like this?
> 
> This is what comes to my mind... :-|  Hope this helps in some way. :-)
> 
> -- M. Hoz
> 
> 
>  
> 
> 
> 
> 
> -- M. Hoz
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.