[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] what occurs first NAT or RULEBASE
It's my opinion (and this isn't proven but I don't know how else it COULD work) that the rulebase MUST be sourced in first and then the NAT rules. I give this opinion because your rulebase rules ALWAYS are written in such a manner as to the destination being the address that a "source" will be able to "see". Then, if the rulebase finds that it's a valid connection, the NAT rule(s) are sourced in and applied as needed. Also, NAT MUST be last since even routing occurs before NAT. Kevin Martin Bank of America -----Original Message----- From: Juppunov, George (BAS) Sent: Tuesday, June 19, 2001 11:42 AM To: [email protected] Subject: RE: [FW1] what occurs first NAT or RULEBASE IT depends on several factors, including whether you are using automatic address translation or manual, whether you are translating source in static mode, destination in static mode, or source in hide mode. Let's say you need to translate the source address for a workstation on your 10.x.x.x network. It would pick it up, match the rules and then translate. It would do the same on the way back, so you might want to make sure the destination address is the NAT. I believe with the auto-rules where the NAT info is in the object definition the rule for incoming traffic does not need to match the NAT address etc. etc. You can find an in-depth discussion of the implementation of CP's FWXT_XX_XXX functions in the Architecture and Administration manual for 4.0 p.205 onward. George -----Original Message----- From: Jabal P Raval [mailto:[email protected]] Sent: Monday, June 18, 2001 1:53 PM To: [email protected] Subject: [FW1] what occurs first NAT or RULEBASE in checkpoint firewall-1 4.1, what occurs first, when a packet comes in, rulebase checking or address translation? Thanks/. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|