[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] what occurs first NAT or RULEBASE
I think you mis-read my email. I was referring to automatic NAT, and did not even touch on anti-spoofing. Anyway, as far as when the packet is translated here is the rule of thumb from CP's documentation. 1. Client-sever packet is translated before it leaves the interface closest to the server. 2. Server-client packet is translated just after it enters the interface closest to the server. The confusion with CP NAT is routing and anti-spoofing. You have the grip on anti-spoofing apparently. How you configure your routes depends on the various NAT modes. The biggy is when you have a static destination NAT. Then you want to make sure you have a route to the external address out the interface where your NAT-ed host should be reached through. However when you use automatic static NAT, you don't need to put that route in. Although I'm not intimately acquainted with the specifics of CP's driver I presume the reason for the latter is that CP translates the address at the point of applying the security rules (i.e. not the NAT rules) because the info is already recorded in the object properties. George -----Original Message----- From: Frank Knobbe [mailto:[email protected]] Sent: Friday, June 22, 2001 5:11 PM To: 'Juppunov, George'; [email protected] Subject: RE: [FW1] what occurs first NAT or RULEBASE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Juppunov, George [mailto:[email protected]] > Sent: Thursday, June 21, 2001 8:50 PM > > I think when you use automatic address translation it would > do the address > translation > before making the routing decision because the NAT > information is contained > in the > object properties i.e. with the security rules. Nope. I have a habit of creating two objects for natted machines, one with the internal IP address and one with the external IP address. (I use these in groups for anti-spoofing). The rules base contains Any/Ext-IP/Service/accept, and my rules work flawlessly (eitherbound). NAT always occurs before the packets hops on the wire... Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOzPei5ytSsEygtEFEQLwpgCaAshPXtaQSTjEpscKkXhFzCdKyF4AoLM0 SGumx0jz8ABnbTeQo+JkmdTo =fggI -----END PGP SIGNATURE----- _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|