[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Problem with NAT and UDP

To: <[email protected]>
Subject: RE: [FW1] Problem with NAT and UDP
From: "Paul McAtasney" <[email protected]>
Date: Tue, 8 May 2001 10:47:39 +0100
Importance: Normal
In-Reply-To: <[email protected]>
Sender: [email protected]


Managed to get this resolved - it's a known bug.
Problem Description
When using a client application, it is possible for a few users to log-in
concurrently, but only one user can get information from the server

When using Static NAT some UDP packets are not translated


Workaround: the UDP service in question should be defined as service of type
'other' instead of 'udp'. Defining the service as 'other' forces all the
packets in the UDP session to pass through the inspection script and this
causes the session to be NATed properly. For the example above, the
workaround is implemented in the following way:
The application's UDP service should be defined as service "other" and
"match" udp, (dport=4901 or dport=7200, or dport=7311 or dport=1105)

For the NFS service group you should do the following changes:
1. Create new service type other.  In the Match tab enter: udp,
(dport=2049).  This would force all connection to destination port 2049 on
the server to open new source port.

2. Edit the NFS group under Services.   Replace the nfsd service with the
new service you created in step 1.

Solution is yet unavailable. Currently under investigation.
Regards Paul.

-----Original Message-----
From: Paul McAtasney [mailto:[email protected]]
Sent: Monday, April 23, 2001 7:54 AM
To: [email protected]
Subject: [FW1] Problem with NAT and UDP



Hi,

We're running Checkpoint Firewall-1 V 4.1 SP3 on Solaris 7. We have a
particular machine with a private address behind the firewall and use NAT on
the firewall to give it a public address. It is possible to access the
machine from outside using telnet, ftp, and http. However, when someone from
outside tries to access on a range of UDP ports, there appears to be a
breakdown in NAT. The firewall logs the fact that the packet is received and
the Xlat dest address is OK, however the address passed through on the
internal interface is the external address. It's more confusing since this
doesn't happen every time.

Has anyone any ideas as to what could be causing this problem?

Paul.





============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] FW-1(NT) and Websense
Next by Date: [FW1] RMI
Prev by thread: AW: [FW1] Harding Sun OS
Next by thread: [FW1] RMI
Index(es):
- Date
- Thread