NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Strange FW behaviour with Proxy



Michael,

This is great, thanks.

I manually added my NAT's as apposed to letting it go on it's own
(automaticly created NAT rules), but it seems as tho the problem lies in
what Volker described, ie, the use of security servers causes the FW to act
as a proxy, and therefore I continue to get the FW's external leg in the
logs and not the actuall proxies NAT'd address.

Thanks a lot tho, as your description is one I needed :)

Mike

> -----Original Message-----
> From:	Meacle, Michael A [SMTP:[email protected]]
> Sent:	ã àôøéì 11 2001 1:41
> To:	'Mike Glassman - Admin'
> Cc:	'fw-1 listserv'
> Subject:	RE: [FW1] Strange FW behaviour with Proxy
> 
> 	Mike,
> 
> 	Lets assume 	proxy-int  ~ 10.1.2.3
> 					proxy-ext	~ 192.178.116.72
> 					fw-ext	~ 192.178.116.1
> 					localnet		~ 10.0.0.0/8
> 
> 	Here are the two rules you would expect for a "static source mode"
> manually configured nat'g
> 	<Address Translation>
> 	Rule #:	Original Packet:                           Translated
> Packet:				Install On:
> 			Source		Destination	Service    Source
> Destination	Service	
> 	1		proxy-int	any#1		any#2      proxy-ext
> =original	=original		fw1
> 	2		any#1		proxy-ext	any#2      =original
> proxy-int	=original		fw1
> 
> 	note 1: generally this "any" should be a group which has all valid
> internet addresses and especially not your internal addresses e.g. spoof
> group
> 		2: you may want to restrict this to "http"
> 
> 	Now by more general I mean you could have something like
> 	<Address Translation>
> 	Rule #:	Original Packet:                           Translated
> Packet:				Install On:
> 			Source		Destination	Service    Source
> Destination	Service	
> 	1		localnet		any			any
> fw-ext		=original	=original		fw1
> 
> 	2		proxy-int	any#1		any#2      proxy-ext
> =original	=original		fw1
> 	3		any#1		proxy-ext	any#2      =original
> proxy-int	=original		fw1
> 
> 	e.g. a hide rule number 1 is more general, and consumes the
> proxy-int address
> 	moving rule 1 to the end would overcome this problem
> 
> 	Another variation could be
> 	<Address Translation>
> 	Rule #:	Original Packet:                           Translated
> Packet:				Install On:
> 			Source		Destination	Service    Source
> Destination	Service	
> 	1		localnet		any#1		any#2
> fw-ext		=original	=original		fw1
> 	2		any#1		fw-ext		any#2      =original
> localnet		=original		fw1
> 	3		proxy-int	any#1		any#2     proxy-ext
> =original	=original		fw1
> 	4		any#1		proxy-ext	any#2     =original
> proxy-int	=original		fw1
> 
> 	e.g. a more general "static source mode" nat'g 
> 	moving rules 1 and 2 to below rules 3 and 4 would overcome this
> problem
> 
> 
> Mick Meacle,  
> 
> > -----Original Message-----
> > From:	Mike Glassman - Admin [SMTP:[email protected]]
> > Sent:	Tuesday, April 10, 2001 7:32 PM
> > To:	'Meacle, Michael A'
> > Cc:	'fw-1 listserv'
> > Subject:	RE: [FW1] Strange FW behaviour with Proxy
> > 
> > Michael,
> > 
> > By more general, do you mean something like haveing a network (internal)
> > Hide NAT'd to the fw's external leg, where the internal proxy is using
> an
> > iddress from that network ?
> > 
> > If so, I do have such.
> > 
> > Would moving the NAT rule of the internal proxy above this "general" NAT
> > rule do the trick ?
> > 
> > Very strange this.
> > 
> > Thanks,
> > 
> > Mike
> > 
> > > -----Original Message-----
> > > From:	Meacle, Michael A [SMTP:[email protected]]
> > > Sent:	â àôøéì 10 2001 9:33
> > > To:	'Mike Glassman - Admin'; 'fw-1 listserv'
> > > Subject:	RE: [FW1] Strange FW behaviour with Proxy
> > > 
> > > Mike,
> > > 
> > > In your fw gui , have a look on the "Address Translation" tab.
> > > 
> > > When a packet is to be NAT'd these rules are searched from the top
> until
> > > one
> > > matches.
> > > 
> > > As a suggestion verify that you don't have a more general translation
> > that
> > > matches the external interface of your firewall higher up than your
> > > translation for the proxy server.
> > > 
> > > Be careful depending on how you setup NAT'g there maybe 1 or 2 NAT
> > rules.
> > > 
> > > catcha,
> > > Mick Meacle,  
> > > 
> > > > -----Original Message-----
> > > > From:	Mike Glassman - Admin [SMTP:[email protected]]
> > > > Sent:	Monday, April 09, 2001 7:25 PM
> > > > To:	'fw-1 listserv'
> > > > Cc:	Mike Glassman - Admin
> > > > Subject:	[FW1] Strange FW behaviour with Proxy
> > > > 
> > > > 
> > > > All,
> > > > 
> > > > We have an internal Proxy server which has been static NAT'd to a
> > legal
> > > > external address to allow it to access the Internet, and for logging
> > > > purposes.
> > > > 
> > > > In the FW rulebase, the rules define what the Proxy may do and so
> on.
> > So
> > > > the
> > > > rules would be for eg....
> > > > 
> > > > Proxy Any HTTP Log
> > > > Proxy Any FTP Log
> > > > 
> > > > And so on.
> > > > 
> > > > When I look at the FW log's, I see the Proxy server as it should be
> > (The
> > > > internal address).
> > > > 
> > > > When on the other hand I look at the logs generated beyond my FW,
> and
> > > > before
> > > > my Router, using a shaping/logging tool we have, I see that the
> Proxy
> > is
> > > > going out on the FW's legal Internet address and not as the NAT'd
> > > address
> > > > I
> > > > gave it.
> > > > 
> > > > So, if I NAT'd the Proxy to 192.178.116.72 (for eg), I should see
> that
> > > > address, instead I see 192.178.116.1 (for eg) which is the FW's
> > external
> > > > leg. (Those addresses are not the actuall ones for obvious reasons).
> > > > 
> > > > I know for a fact that this is happening, but I can't for the life
> of
> > me
> > > > figure out why.
> > > > 
> > > > Anyone ?
> > > > 
> > > > Mike Glassman
> > > > System & Security Admin
> > > > Israeli Airports Authority
> > > > Ben-Gurion Airport
> > > > http://www.ben-gurion-airport.co.il
> > > > 
> > > > Tel : 972-3-9710785
> > > > Fax : 972-3-9710939
> > > > Email : [email protected]
> > > > 
> > > > Usage of this email address or any email address at iaa.gov.il for
> the
> > > > purpose of sales pitches, SPAM or any other such unwanted garbage,
> is
> > > > illegal, and any person, whether corporate or alone doing so, will
> be
> > > > prosecuted to the fullest possible extent.
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > >
> > >
> >
> ==========================================================================
> > > > ======
> > > >      To unsubscribe from this mailing list, please see the
> > instructions
> > > at
> > > >                http://www.checkpoint.com/services/mailing.html
> > > >
> > >
> >
> ==========================================================================
> > > > ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.