[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] what occurs first NAT or RULEBASE
It's a CCSE question: (couldn't resist) rulebase--->route--->nat--->rulebase (assuming eitherbound rules which are recommended) ----- Original Message ----- From: "Martin, Kevin T" <[email protected]> To: <[email protected]> Sent: Tuesday, June 19, 2001 5:16 PM Subject: RE: [FW1] what occurs first NAT or RULEBASE > > It's my opinion (and this isn't proven but I don't know how else it COULD > work) that the rulebase MUST be sourced in first and then the NAT rules. I > give this opinion because your rulebase rules ALWAYS are written in such a > manner as to the destination being the address that a "source" will be able > to "see". Then, if the rulebase finds that it's a valid connection, the NAT > rule(s) are sourced in and applied as needed. Also, NAT MUST be last since > even routing occurs before NAT. > > Kevin Martin > Bank of America > > -----Original Message----- > From: Juppunov, George (BAS) > Sent: Tuesday, June 19, 2001 11:42 AM > To: [email protected] > Subject: RE: [FW1] what occurs first NAT or RULEBASE > > > > IT depends on several factors, including whether you are using automatic > address > translation or manual, whether you are translating source in static mode, > destination > in static mode, or source in hide mode. > > Let's say you need to translate the source address for a workstation on your > 10.x.x.x > network. It would pick it up, match the rules and then translate. It would > do the > same on the way back, so you might want to make sure the destination address > is the NAT. > > I believe with the auto-rules where the NAT info is in the object definition > the rule > for incoming traffic does not need to match the NAT address etc. etc. > > You can find an in-depth discussion of the implementation of CP's > FWXT_XX_XXX functions > in the Architecture and Administration manual for 4.0 p.205 onward. > > George > > -----Original Message----- > From: Jabal P Raval [mailto:[email protected]] > Sent: Monday, June 18, 2001 1:53 PM > To: [email protected] > Subject: [FW1] what occurs first NAT or RULEBASE > > > > > in checkpoint firewall-1 4.1, what occurs first, when a packet comes in, > rulebase > checking or address translation? > > Thanks/. > > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > > _____________________________________________________________________ > IMPORTANT NOTICES: > This message is intended only for the addressee. Please notify the > sender by e-mail if you are not the intended recipient. If you are not the > intended recipient, you may not copy, disclose, or distribute this message > or its contents to any other person and any such actions may be unlawful. > > Banc of America Securities LLC("BAS") does not accept time > sensitive, action-oriented messages or transaction orders, including orders > to purchase or sell securities, via e-mail. > > BAS reserves the right to monitor and review the content of all > messages sent to or from this e-mail address. Messages sent to or from this > e-mail address may be stored on the BAS e-mail system. > > > > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|