RE: [FW1] Cannot connect using public address

[Daniel Hitchcock <DHitchcock@FW1-NOSPAMbreakwatersecurity.com>]

Thanks to another list member for answering this question for me a while back -

 

The reason the ping (and any other IP protocol) fails is that the client originating the ping receives the reply from a different address than it expects.

 

For example, if your machine (e.g. 10.5.5.5) pings server 209.5.5.5 (external NAT address), the firewall then translates the packet destination and forwards the packet to the internal server (e.g. 10.5.5.1).  When server 10.5.5.1 receives the ping and sees that its origin is 10.5.5.5 (on its same subnet), it sends the reply directly back to the client (with a source of its real ip, of course - 10.5.5.1).  The client, upon receiving this packet, ignores it, since it is waiting for a reply from 209.5.5.5.

 

Hope that makes sense.  You may be able to work around it by creating a NAT rule that translates both source and destination for packets from inside headed for NATs on the firewall.  It would need to go above any other NAT rules involving either the internal network or the public servers.  Haven't had a chance to test...

 

The solution you propose (DNS) is the most common resolution to this issue.  I don't call it a "problem," since it's just the way that IP works.

 

Let me know if you have a chance to test, and what happens.

Dan Hitchcock
CCNA, CCSE, MCSE
Security Analyst
Breakwater Security Associates

dhitchcock@breakwatersecurity.com
http://www.breakwatersecurity.com

-----Original Message-----
From: Tony Wong [mailto:twong@SolutionCentral.com]
Sent: Wednesday, February 28, 2001 11:15 AM
To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] Cannot connect using public address

We recently moved to usiing NAT on our firewall:

 

Private range: 192.168.0.0 -- 192.168.0.1- 192.168.0.100 for servers switches etc

 

DHCP: 192.168.0.101 - 254 DHCP clients

 

We have internal web servers and mail server with FQDNs that outside can access no problems by using static NAT.

 

Problem is internal client cannot connect to these public (statically natted) ip addresses within the local network.

 

They can connect to it with the private address.

 

The only fix I have so far is by putting host files in their machines so that the web and mail servers gets resolved to the private ip address. Also using internal DNS.

 

Question is why are these internal clients not being able to access the public ip address of the web server. I cannot ping this web server by its public ip address.

 

I can ping the firewall both internal anfd public ip address. 

 

 

Yes the web server's statically nated address is in the same subnet as the firewall's external ip.