Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Problem with NAT

To: "'[email protected]'" <[email protected]>, Ahti Akel <[email protected]>
Subject: RE: [FW1] Problem with NAT
From: Dan Hitchcock <[email protected]>
Date: Wed, 20 Dec 2000 14:24:44 -0800
Cc: Martin Hoz Salvador -CITI Soporte <[email protected]>, [email protected]
Sender: [email protected]

I believe the original question was probably related to "NAT leaking", where
internal addresses sometimes pass through the firewall without being NATd as
they should.  As a result, of course, the sessions fail.

The issue of "leaking NAT" is on the fix list for FW1 4.1 SP3 - haven't
tested yet whether it is really fixed.

If I have also misunderstood the original question, please repost.

Dan Hitchcock
CCNA, MCSE
Network Engineer
Xylo, Inc.The work/life solution for corporate thought leaders


-----Original Message-----
From: Martin H Hoz-Salvador [mailto:[email protected]]
Sent: Tuesday, December 19, 2000 5:30 PM
To: Ahti Akel
Cc: Martin Hoz Salvador -CITI Soporte;
[email protected]
Subject: Re: [FW1] Problem with NAT



> > > On IP440 with CP FW-1 4.0 SP5 I have hidded all intranet addresses,
but 
> > > sometimes quite seldom some addresses are not hidden.  Could anybody
comment it ?
> >
> > Duh? I guess you have your intranet addresses NATted... :-) If so, what
> > do you mean with "sometimes some addresses ar not hidden"??? Do you mean
> > that internal IP's are accesible from outside? Do you mean internal
> > addresses can reach external networks?
> 
> I mean that internal addresses can reach external network. But not 
> always, just sometimes randomly and quite seldom.  I have Dynamic NAT 
> (many IP's use one valid IP address to do NAT).

I'm sorry, and I can look like a stupid... but I can't see the error: If you
have NAT, then your internal IP's should be able to reach external networks:
That's why you want to setup NAT.

Which services are you able to reach from your internal machines? are you
able to ping? can you use a web browser? can you telnet? This could be a
routing
problem... but I'm not sure... Do you have invalid addresses internally? (I 
mean 10.* , 192.168.* or so...) 


Theorically, If you want to deny all traffic from internal network, simply 
allow the traffic you want to pass your firewall: FW-1 uses philosophy 
"things don't expressly allowed are forbidden". 

If you are able to access external net, theorically you should have:
- A proxy server allowed by firewall to reach external NET (with NAT or a 
	simple "allow rule").
- A "NAT server". This could be a router, a firewall or something.
- If you have valid IP addresses in your internal network, an "allow" rule

Another possible issue: Do you have "smart" users that can try to bypass
firewall using another router as default or some trick like this?

This is what comes to my mind... :-|  Hope this helps in some way. :-)

-- M. Hoz


 




-- M. Hoz


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] CP2000 on Win2k
Next by Date: [FW1] Transport Mode IPSec
Previous by thread: Re: [FW1] Problem with NAT
Next by thread: [FW1] Any documentation on FW1-4.1-sp3?
Index(es):
- Date
- Thread