[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Problem with NAT
I believe the original question was probably related to "NAT leaking", where internal addresses sometimes pass through the firewall without being NATd as they should. As a result, of course, the sessions fail. The issue of "leaking NAT" is on the fix list for FW1 4.1 SP3 - haven't tested yet whether it is really fixed. If I have also misunderstood the original question, please repost. Dan Hitchcock CCNA, MCSE Network Engineer Xylo, Inc.The work/life solution for corporate thought leaders -----Original Message----- From: Martin H Hoz-Salvador [mailto:[email protected]] Sent: Tuesday, December 19, 2000 5:30 PM To: Ahti Akel Cc: Martin Hoz Salvador -CITI Soporte; [email protected] Subject: Re: [FW1] Problem with NAT > > > On IP440 with CP FW-1 4.0 SP5 I have hidded all intranet addresses, but > > > sometimes quite seldom some addresses are not hidden. Could anybody comment it ? > > > > Duh? I guess you have your intranet addresses NATted... :-) If so, what > > do you mean with "sometimes some addresses ar not hidden"??? Do you mean > > that internal IP's are accesible from outside? Do you mean internal > > addresses can reach external networks? > > I mean that internal addresses can reach external network. But not > always, just sometimes randomly and quite seldom. I have Dynamic NAT > (many IP's use one valid IP address to do NAT). I'm sorry, and I can look like a stupid... but I can't see the error: If you have NAT, then your internal IP's should be able to reach external networks: That's why you want to setup NAT. Which services are you able to reach from your internal machines? are you able to ping? can you use a web browser? can you telnet? This could be a routing problem... but I'm not sure... Do you have invalid addresses internally? (I mean 10.* , 192.168.* or so...) Theorically, If you want to deny all traffic from internal network, simply allow the traffic you want to pass your firewall: FW-1 uses philosophy "things don't expressly allowed are forbidden". If you are able to access external net, theorically you should have: - A proxy server allowed by firewall to reach external NET (with NAT or a simple "allow rule"). - A "NAT server". This could be a router, a firewall or something. - If you have valid IP addresses in your internal network, an "allow" rule Another possible issue: Do you have "smart" users that can try to bypass firewall using another router as default or some trick like this? This is what comes to my mind... :-| Hope this helps in some way. :-) -- M. Hoz -- M. Hoz ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|