Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] RE: NAT - Manual or Auto??

To: FW Mailing List <[email protected]>
Subject: Re: [FW1] RE: NAT - Manual or Auto??
From: James Bell <[email protected]>
Date: Tue, 29 May 2001 23:10:01 -0700
References: <[email protected]>
Sender: [email protected]

Keresztesi Tibor wrote:
> > From:         Jean-Pierre Harvey
> [mailto:[email protected]]
> 
> > Over a period of time I have seen several posts claiming that NAT is
> better set up
> > manually in FW-1 rather than using the auto NAT features. I also have not
> seen anyone
> > defend the auto NATing. So why is manual NAT so much better? Or, why is
> the automatic
> > NATing not as good?
> 
> Manual NAT is better, because you can change the order of NAT
> rules; so much more flexible than automatic NAT. In complex
> environment this is a very important thing... With automatic
> NAT, you can't make any changes in the questionable rules,
> can't add services, destinations, etc. etc.

For an example of why manual NAT is better than auto (which is where
it's defined in the workstation or network object), consider a
workaround I had to do for a remote branch location that my company
site had to pick up recently.

This branch has two WAN connections, one to corporate and one directly
to a NASA facility. Before we took it over, they were actually using a
NASA ip range internally. Certain functions within NASA that these
engineers needed required (due to various NASA firewall) ip's in that
range to work, but we weren't allowed (corp policy) to let them keep
that range internally.  All corporate traffic had to go through *not*
NAT'd, all other traffic had to have the NASA ip range to traverse
NASA.

Solution: created one set of NAT rules automatically using a couple
network objects definitions such that all traffic was NAT'd with a one
to one setup, iow internal network of x.y.z.1 translated to a.b.c.1. 
I then added a set of rules before the auto rules that said that any
traffic headed to corporate from an internal ip, and vice versa, were
not NAT'd.  If the traffic was corporate bound/returning, the first
rules caught it and passed it un-NAT'd. If the traffic was anything
else, it got NAT'd to NASA ip range.  Then of course the upstream
router was locked down such that routes from either side didn't
propagate to one another, and ACL's were rigged to make certain
traffic couldn't go where it wasn't supposed to if a link went down.

Alternatively, if we had needed to get more granular and say that only
web/ldap/rpc traffic to NASA got NAT'd, you can't do that with just an
auto NAT ruleset.

Am I babbling here, or does this make sense?

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] RE: NAT - Manual or Auto??
  - From: Keresztesi Tibor <[email protected]>

Prev by Date: RE: [FW1] Problems with FW memory
Next by Date: RE: [FW1] rainwall and stonebeat
Previous by thread: Re: [FW1] RE: NAT - Manual or Auto??
Next by thread: [FW1] RE: NAT - Manual or Auto??
Index(es):
- Date
- Thread