NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] what occurs first NAT or RULEBASE



It's a CCSE question: (couldn't resist)

rulebase--->route--->nat--->rulebase
(assuming eitherbound rules which are recommended)

----- Original Message ----- 
From: "Martin, Kevin T" <[email protected]>
To: <[email protected]>
Sent: Tuesday, June 19, 2001 5:16 PM
Subject: RE: [FW1] what occurs first NAT or RULEBASE


> 
> It's my opinion (and this isn't proven but I don't know how else it COULD
> work) that the rulebase MUST be sourced in first and then the NAT rules.  I
> give this opinion because your rulebase rules ALWAYS are written in such a
> manner as to the destination being the address that a "source" will be able
> to "see".  Then, if the rulebase finds that it's a valid connection, the NAT
> rule(s) are sourced in and applied as needed.  Also, NAT MUST be last since
> even routing occurs before NAT.
> 
> Kevin Martin
> Bank of America
> 
> -----Original Message-----
> From: Juppunov, George (BAS) 
> Sent: Tuesday, June 19, 2001 11:42 AM
> To: [email protected]
> Subject: RE: [FW1] what occurs first NAT or RULEBASE
> 
> 
> 
> IT depends on several factors, including whether you are using automatic
> address
> translation or manual, whether you are translating source in static mode,
> destination
> in static mode, or source in hide mode.
> 
> Let's say you need to translate the source address for a workstation on your
> 10.x.x.x
> network. It would pick it up, match the rules and then translate. It would
> do the 
> same on the way back, so you might want to make sure the destination address
> is the NAT.
> 
> I believe with the auto-rules where the NAT info is in the object definition
> the rule
> for incoming traffic does not need to match the NAT address etc. etc.
> 
> You can find an in-depth discussion of the implementation of CP's
> FWXT_XX_XXX functions
> in the Architecture and Administration manual for 4.0 p.205 onward.
> 
> George 
> 
> -----Original Message-----
> From: Jabal P Raval [mailto:[email protected]]
> Sent: Monday, June 18, 2001 1:53 PM
> To: [email protected]
> Subject: [FW1] what occurs first NAT or RULEBASE
> 
> 
> 
> 
> in checkpoint firewall-1 4.1, what occurs first, when a packet comes in,
> rulebase
> checking or address translation?
> 
> Thanks/.
> 
> 
> 
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
> 
> 
> _____________________________________________________________________ 
> IMPORTANT NOTICES: 
>           This message is intended only for the addressee. Please notify the
> sender by e-mail if you are not the intended recipient. If you are not the
> intended recipient, you may not copy, disclose, or distribute this message
> or its contents to any other person and any such actions may be unlawful.
> 
>          Banc of America Securities LLC("BAS") does not accept time
> sensitive, action-oriented messages or transaction orders, including orders
> to purchase or sell securities, via e-mail.
> 
>          BAS reserves the right to monitor and review the content of all
> messages sent to or from this e-mail address. Messages sent to or from this
> e-mail address may be stored on the BAS e-mail system.
> 
> 
> 
> 
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.