[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] question



Title: RE: [FW1] question

Hi Jonathan,

I have never set up FW-1 on NT, but in the Nokia implementation, the IP addresses to be NAT'd are not bound to the external interface. Instead, a static entry is added to the arp cache for each address to be translated that resolves to the MAC address of the external interface. Then a static route is added on the Nokia box to route all packets destined for the public IP address to be NAT'd to the internal IP address. Rules on the firewall then decide what traffice goes through.

I do not know if this is the same in the NT implementation, but if your internal hosts can get out ok and are NATing correctly then the signs are there that this is the problem. Your internal hosts can get out because your NT firewall has a default route out, it knows where to send the packets. If the IP addresses are bound to the external interface then it would appear to the NT box that it just needs to send the packets to itself, and not route them to the internal host. It looks like everything is set up right, but you may just need to unbind the IP addresses from the external interface.

More than happy for an NT FW-1 guru to correct me. Hope that helps.

Regards
JP




-----Original Message-----
From: Jonathan Edmunds [mailto:[email protected]]
Sent: Wednesday, April 25, 2001 2:04 AM
To: '[email protected]'
Subject: [FW1] question


I've read many many pages in the Checkpoint VPN-q / FW-1 Administration Guide about Static NAT as well as various websites and I must say I am completely confused by the whole process. Mainly due to hearing different people's accounts for how to set this up.

My setup is on NT and is as follows:
Firewall Machine - External 216...3  , Internal 10.10.10.1
The firewall machine is intended to be the sole gateway to the outside world.
I have IP forwarding enabled, RIP Service running, and the additional IP's bound to the external interface that I wish to be translated.

The external interface has a gateway listed, the internal does not.
In FW-1 I have configured a network object for my Firewall as well as my 2 networks.
I have configured static address translation rules and everything from the inside out seems to work properly.
My rules are as follows:
Original packet                              |||      Translated Packet
Source         | dest            | service |||   Source        | Dest           | Service
Intaddr         |     any         |     any  |||     valid          |     orig         |       orig
Any              |   valid         |    any   |||     original      |  internal      |     orig


Hosts on my internal LAN can route out to the outside world and show up as their translated IP.
The Rule sets for the firewall are wide open accepting anything, The IP address spoofing checks on the firewalls interfaces are disabled.

However if I am on an external host and attempt to SSH into a box I have configured for Static NAT the request reaches only the gateway.

In the logs it looks as if it does get translated back to the private address.
I have tried adding static routes ( route add 216.xxx.xxx.4   10.10.10.4 )
I have also messed around with the local.arp file but with each of these I have read various different accounts on the proper method.

If anyone can help me out with some clarification on this issue or help me see the aspect I am overlooking it would be greatly appreciated.

Thanks


                   
-----------------------------------------------------------------------
Jonathan Edmunds
Systems Administrator
CreativePlanet