[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] what occurs first NAT or RULEBASE

To: Frank Knobbe <[email protected]>
Subject: Re: [FW1] what occurs first NAT or RULEBASE
From: Paul Cardon <[email protected]>
Date: Thu, 28 Jun 2001 23:36:32 -0400
CC: [email protected]
References: <32CD6FE22EAB444BB1D27C10949A0E7C08B394@server1.home.knobbeits.com>
Sender: [email protected]


Frank Knobbe wrote:
> 
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]]
> > Sent: Tuesday, June 26, 2001 5:29 PM
> >
> > 1.    HIDE
> >       Client initialize comm. --> Inspected by Firewall (both
> > Inbound and
> > Outbound) --> Packet get's translated (Source Hidden) -->
> > Leaves Gateway .
> > (NAT LAST THING THAT HAPPENS)
> >
> > 2.    Static Destination
> >       Client initialize comm. --> Inspected by Firewall (both
> > Inbound and
> > Outbound) --> Packet get's translated (Destination address is
> > translated)
> > --> Leaves Gateway . (NAT LAST THING THAT HAPPENS)
> >
> > 3.    Static Source
> >       Client initialize comm. --> Inspected by Firewall (both
> > Inbound and
> > Outbound) --> Packet get's translated (Source Address is
> > translated) -->
> > Leaves Gateway . (NAT LAST THING THAT HAPPENS)
> 
> Just to emphasize: In case 1 and case 3, 'client' means a computer
> within the protected network, behind the firewall.
> In case 2, 'client' means a computer in the unprotected network, in
> front of the firewall (such as a visitor hitting a web site [that is
> behind the firewall]).

These definitions are true in the majority of cases, and I realize that
you are trying to clarify, but there are configurations where the
'client' is not oriented the way you describe with respect to the NAT. 
Erik's descriptions are correct for ALL configurations.  

Why you would need such a backwards configuration is left as an exercise
to the reader.  If you've never encountered them in production
environments, consider yourself fortunate.  They're usually put in place
temporarily because something else is broken or poorly designed and will
take some time to fix.  8^O

-paul


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] what occurs first NAT or RULEBASE
  - From: Frank Knobbe <[email protected]>

Prev by Date: Re: [FW1] SecuRemote FWZ encryption - does not work
Next by Date: Re: [FW1] cannot find free queue for sbif7
Prev by thread: RE: [FW1] what occurs first NAT or RULEBASE
Next by thread: RE: [FW1] what occurs first NAT or RULEBASE
Index(es):
- Date
- Thread