[FW1] Summary: Some packets don't have NATted. Have you seen this before?

["Aylton Souza, CISSP" <ayltonsz@FW1-NOSPAMwebsecret.com.br>]

Hello all FW-friends,

 

First of all thanks for everybody who sent me experiences about this.

 

I read some material that confirms the TCP timeout problem but the strange thing in my case is that is occurs in UDP traffic...

 

I like the SP3 idea, and I'll check wheter it is installed or not and I'll keep in touch,

 

Once again, thanks very much for all those who sent me suggestions!

 

BTW, here is the summary of suggestions:

 

Greg (gregor.munro@securit.co.nz) said:

>Aylton,
>
>this is a known problem with TCP sessions that have >timed out.
>
>SP3 fixes this problem

Tom Sevy (tsevy@epx.com) said:

 

>I had a problem with this.  After installing an Alteon Web >Switch.  We had to increase the time-out that it held a >connection open before closing it (in the Alteon).  I was >seeing lots and lots of packets leave through the firewall >and not get natted.  These were all the tail ends of closing >TCP sessions.  Once we made the change in the Alteon >switch, the number of these incidents per day dropped >down to below 50 per day.  From up in the many hundreds >per day.

 

Alberto Lopez (alberto.lopez@consors.es) said:

 

>I have this problem too. I think that in a service pack of >FW 4.1
>version it's supposed to be fixed..Since I upgraded to >4.1 sp3 it
>happens less times, but still it's present.

 

 

Tim Holman (tim_holman@hotmail.com):

>Enrypted packets (FWZ, SKIP, IKE) cannot have NAT >applied, as their TCP/IP headers are encrypted, however >IPSEC only encrypts the data portion, leaving the headers >free for NAT manipulation.

>Also bear in mind that NAT won't work with protocols that >use embedded IP addresses (RPC, Oracle etc), unless a >Proxy has been written for them

Daniel

 

>A little more detail on this:

>

>You CAN use NAT on encrypted packets using FWZ, >SKIP, and IKE with AH only (no ESP; see below) since >the packets are not encapsulated - the original header will >be translated.  You can also use NAT on IKE packets >using ESP for encapsulation, but the NAT will apply prior >to the encryption/encapsulation.  This allows you to do >things like create NAT rules to pass traffic over a VPN to >sites with the same addressing on both ends.

>Not sure if this answers Aylton's original question, but >hopefully worth at least $0.02.