Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Dual NAT with FW-1 on NT

To: "Sumit Chopra" <[email protected]>
Subject: Re: [FW1] Dual NAT with FW-1 on NT
From: "Tim Holman" <[email protected]>
Date: Wed, 18 Apr 2001 12:57:32 +0100
Cc: <[email protected]>
References: <[email protected]>
Sender: [email protected]

The server can only talk back on a predefined port if it initiates the
connection.
If it's just a reply to a connection initiated by the client, then I'm not
sure how you do it.
I'd try sticking another NAT rule in, translating any 2900 request from the
server to the client, into a 2899 request.
But, the server is not going to be sending out packets with this port, as
TCP communication will have already started off in a higher port range
somewhere, so I think you'll have to translate All packets from the server
destined to the client, into using port 2899, but this will stop other
things from working.
Can you use UDP in this scenario ?
I think TCP is going to be tricky to configure, unless we can find some way
to make the port 'stick' at 2900 and not go to the higher level ports,
although this will mean that only one client can access the server
simultaneously.
Maybe someone else out there has had experience of sticky ports ?


Tim



----- Original Message -----
From: Sumit Chopra <[email protected]>
To: 'Tim Holman' <[email protected]>
Cc: <[email protected]>
Sent: 17 April 2001 19:30
Subject: RE: [FW1] Dual NAT with FW-1 on NT


> Thanks Tim, I was able to make it work yesterday. But now I have another
> thing which I want to do, NAT in the reverse direction.
>
> From my client(10.0.0.2) I can access the server(192.168.10.23) through
> server's NAT'd IP(10.0.0.23) on port 2900 fine.
>
> At the same time, I want the server(192.168.10.23) to talk back to the
> client(10.0.0.2) through a NAT'd IP of the client(192.168.0.2) on port
2899.
> This is the way my application is designed. But its not working.
>
> One interesting thing I am seeing is that I cannot traceroute to either of
> the firewall interfaces from te server(192.168.10.23) but I can do it fine
> from my client(10.0.0.2)
>
> Any ideas how I can make it work?
>
> Thanks,
>
> Sumit
>
>
> -----Original Message-----
> From: Tim Holman [mailto:[email protected]]
> Sent: Tuesday, April 17, 2001 10:11 AM
> To: Sumit Chopra; [email protected]
> Subject: Re: [FW1] Dual NAT with FW-1 on NT
>
>
> What are you trying to NAT ?
> Your proxy.arp and routes look wrong.
> Let's use an example:
>
> External address of FW - 10.0.0.1
> Public address of host - 10.0.0.2
> Real (inside) address of host - 192.168.10.23
>
> On the FW, setup local.arp as follows:
>
> 10.0.0.2 - MAC address of 10.0.0.1
>
> And a route:
>
> route add -p 10.0.0.2 mask 255.255.255.255 192.168.10.23
>
> This enables STATIC NAT to work properly.  Stick with the automatic rules
to
> start with - they're ample for a basic configuration.
>
> Tim
>
>
> ----- Original Message -----
> From: Sumit Chopra <[email protected]>
> To: <[email protected]>
> Sent: 14 April 2001 21:23
> Subject: [FW1] Dual NAT with FW-1 on NT
>
>
> >
> >
> > Hi All,
> >
> > I am having problems with setting up dual NAT on FW-1(4.1) on NT.  My
> > network configuration is :
> >
> > 1. 10.0.0.0 Network(External)
> > 2. 192.168.0.0 Network(Internal)
> > 3. FW-1 one interface with IP= 10.0.0.1
> > 4. FW-1 second interface with IP=192.168.1.1
> > 5. Host on 10.0.0.0 network with IP=10.0.0.2 with the default
GW=10.0.0.1
> > 6. Host on 192.168.0.0 network with IP=192.168.10.23 with the default
> > GW=192.168.1.1
> >
> > The GUI runs on the clients on 10.0.0.0 network on port 2899 and needs
to
> > connect to the server on port 2900. I have tested single NAT and it
works
> > fine. But dual NAT does not.
> >
> > My local.arp file on the FW has an entry
> >
> > 10.0.0.1 <MAC of 10.0.0.1 interface>
> >
> > I have added the following persistent route on the FW:
> >
> > 10.0.0.0  255.255.255.255   192.168.1.1  192.168.1.1 1
> >
> > which implies al clients on 10.0.0.0 network gets routed to the
> 192.168.1.1
> > interface of the firewall
> >
> > I am not very clear how to define the NAT rule. Can someone please tell
me
> > how to define the rule and if there is something else which needs to be
> > done.
> >
> > Thanks a lot!
> >
> > -Sumit
> >
> >
> >
> >
> >
> >
> >
> >
>
============================================================================
> ====
> >      To unsubscribe from this mailing list, please see the instructions
at
> >                http://www.checkpoint.com/services/mailing.html
> >
>
============================================================================
> ====
> >
> >
>
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] Dual NAT with FW-1 on NT
  - From: "Sumit Chopra" <[email protected]>

Prev by Date: [FW1] Can't connect VIA GUI client and Voyager
Next by Date: [FW1] Firewall with 2 or more processors
Previous by thread: RE: [FW1] Dual NAT with FW-1 on NT
Next by thread: [FW1] Dual NAT with FW-1 on NT
Index(es):
- Date
- Thread