[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] RE: NAT - Manual or Auto??
Keresztesi Tibor wrote: > > From: Jean-Pierre Harvey > [mailto:[email protected]] > > > Over a period of time I have seen several posts claiming that NAT is > better set up > > manually in FW-1 rather than using the auto NAT features. I also have not > seen anyone > > defend the auto NATing. So why is manual NAT so much better? Or, why is > the automatic > > NATing not as good? > > Manual NAT is better, because you can change the order of NAT > rules; so much more flexible than automatic NAT. In complex > environment this is a very important thing... With automatic > NAT, you can't make any changes in the questionable rules, > can't add services, destinations, etc. etc. For an example of why manual NAT is better than auto (which is where it's defined in the workstation or network object), consider a workaround I had to do for a remote branch location that my company site had to pick up recently. This branch has two WAN connections, one to corporate and one directly to a NASA facility. Before we took it over, they were actually using a NASA ip range internally. Certain functions within NASA that these engineers needed required (due to various NASA firewall) ip's in that range to work, but we weren't allowed (corp policy) to let them keep that range internally. All corporate traffic had to go through *not* NAT'd, all other traffic had to have the NASA ip range to traverse NASA. Solution: created one set of NAT rules automatically using a couple network objects definitions such that all traffic was NAT'd with a one to one setup, iow internal network of x.y.z.1 translated to a.b.c.1. I then added a set of rules before the auto rules that said that any traffic headed to corporate from an internal ip, and vice versa, were not NAT'd. If the traffic was corporate bound/returning, the first rules caught it and passed it un-NAT'd. If the traffic was anything else, it got NAT'd to NASA ip range. Then of course the upstream router was locked down such that routes from either side didn't propagate to one another, and ACL's were rigged to make certain traffic couldn't go where it wasn't supposed to if a link went down. Alternatively, if we had needed to get more granular and say that only web/ldap/rpc traffic to NASA got NAT'd, you can't do that with just an auto NAT ruleset. Am I babbling here, or does this make sense? ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|