[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Dual NAT with FW-1 on NT
The server can only talk back on a predefined port if it initiates the connection. If it's just a reply to a connection initiated by the client, then I'm not sure how you do it. I'd try sticking another NAT rule in, translating any 2900 request from the server to the client, into a 2899 request. But, the server is not going to be sending out packets with this port, as TCP communication will have already started off in a higher port range somewhere, so I think you'll have to translate All packets from the server destined to the client, into using port 2899, but this will stop other things from working. Can you use UDP in this scenario ? I think TCP is going to be tricky to configure, unless we can find some way to make the port 'stick' at 2900 and not go to the higher level ports, although this will mean that only one client can access the server simultaneously. Maybe someone else out there has had experience of sticky ports ? Tim ----- Original Message ----- From: Sumit Chopra <[email protected]> To: 'Tim Holman' <[email protected]> Cc: <[email protected]> Sent: 17 April 2001 19:30 Subject: RE: [FW1] Dual NAT with FW-1 on NT > Thanks Tim, I was able to make it work yesterday. But now I have another > thing which I want to do, NAT in the reverse direction. > > From my client(10.0.0.2) I can access the server(192.168.10.23) through > server's NAT'd IP(10.0.0.23) on port 2900 fine. > > At the same time, I want the server(192.168.10.23) to talk back to the > client(10.0.0.2) through a NAT'd IP of the client(192.168.0.2) on port 2899. > This is the way my application is designed. But its not working. > > One interesting thing I am seeing is that I cannot traceroute to either of > the firewall interfaces from te server(192.168.10.23) but I can do it fine > from my client(10.0.0.2) > > Any ideas how I can make it work? > > Thanks, > > Sumit > > > -----Original Message----- > From: Tim Holman [mailto:[email protected]] > Sent: Tuesday, April 17, 2001 10:11 AM > To: Sumit Chopra; [email protected] > Subject: Re: [FW1] Dual NAT with FW-1 on NT > > > What are you trying to NAT ? > Your proxy.arp and routes look wrong. > Let's use an example: > > External address of FW - 10.0.0.1 > Public address of host - 10.0.0.2 > Real (inside) address of host - 192.168.10.23 > > On the FW, setup local.arp as follows: > > 10.0.0.2 - MAC address of 10.0.0.1 > > And a route: > > route add -p 10.0.0.2 mask 255.255.255.255 192.168.10.23 > > This enables STATIC NAT to work properly. Stick with the automatic rules to > start with - they're ample for a basic configuration. > > Tim > > > ----- Original Message ----- > From: Sumit Chopra <[email protected]> > To: <[email protected]> > Sent: 14 April 2001 21:23 > Subject: [FW1] Dual NAT with FW-1 on NT > > > > > > > > Hi All, > > > > I am having problems with setting up dual NAT on FW-1(4.1) on NT. My > > network configuration is : > > > > 1. 10.0.0.0 Network(External) > > 2. 192.168.0.0 Network(Internal) > > 3. FW-1 one interface with IP= 10.0.0.1 > > 4. FW-1 second interface with IP=192.168.1.1 > > 5. Host on 10.0.0.0 network with IP=10.0.0.2 with the default GW=10.0.0.1 > > 6. Host on 192.168.0.0 network with IP=192.168.10.23 with the default > > GW=192.168.1.1 > > > > The GUI runs on the clients on 10.0.0.0 network on port 2899 and needs to > > connect to the server on port 2900. I have tested single NAT and it works > > fine. But dual NAT does not. > > > > My local.arp file on the FW has an entry > > > > 10.0.0.1 <MAC of 10.0.0.1 interface> > > > > I have added the following persistent route on the FW: > > > > 10.0.0.0 255.255.255.255 192.168.1.1 192.168.1.1 1 > > > > which implies al clients on 10.0.0.0 network gets routed to the > 192.168.1.1 > > interface of the firewall > > > > I am not very clear how to define the NAT rule. Can someone please tell me > > how to define the rule and if there is something else which needs to be > > done. > > > > Thanks a lot! > > > > -Sumit > > > > > > > > > > > > > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > > > > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|