[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Problem with NAT
On Tue, Dec 19, 2000 at 07:30:14PM -0600, Martin H Hoz-Salvador wrote: > > > > > On IP440 with CP FW-1 4.0 SP5 I have hidded all intranet addresses, but > > > > sometimes quite seldom some addresses are not hidden. Could anybody comment it ? > > > > > > Duh? I guess you have your intranet addresses NATted... :-) If so, what > > > do you mean with "sometimes some addresses ar not hidden"??? Do you mean > > > that internal IP's are accesible from outside? Do you mean internal > > > addresses can reach external networks? > > > > I mean that internal addresses can reach external network. But not > > always, just sometimes randomly and quite seldom. I have Dynamic NAT > > (many IP's use one valid IP address to do NAT). > > I'm sorry, and I can look like a stupid... but I can't see the error: If you > have NAT, then your internal IP's should be able to reach external networks: > That's why you want to setup NAT. Thank You, Martin, My goal is that my LAN ip-addresses are hidden and from outside is seen only gateway ip-aadress. I have been setup NAT so: ---------------------------------------------------------------------- | Original Packet | Translated Packet |Install on| ------------------------------------------------------------ - | Source |Dest.|Serv.| Source |Destinat. |Service | | ----------------------------------------------------------------------- | LAN_machines | Any | Any | gateway | Original | original | Gateway | ----------------------------------------------------------------------- But the problem is that sometimes with some services the LAN_machines are seen from outside. --- Regards, Ahti Akel > Which services are you able to reach from your internal machines? are you > able to ping? can you use a web browser? can you telnet? This could be a > routing > problem... but I'm not sure... Do you have invalid addresses internally? (I > mean 10.* , 192.168.* or so...) > > > Theorically, If you want to deny all traffic from internal network, simply > allow the traffic you want to pass your firewall: FW-1 uses philosophy > "things don't expressly allowed are forbidden". > > If you are able to access external net, theorically you should have: > - A proxy server allowed by firewall to reach external NET (with NAT or a > simple "allow rule"). > - A "NAT server". This could be a router, a firewall or something. > - If you have valid IP addresses in your internal network, an "allow" rule > > Another possible issue: Do you have "smart" users that can try to bypass > firewall using another router as default or some trick like this? > > This is what comes to my mind... :-| Hope this helps in some way. :-) > > -- M. Hoz > > > > > > > > -- M. Hoz > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|