Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] what occurs first NAT or RULEBASE

To: Paul Cardon <[email protected]>
Subject: Re: [FW1] what occurs first NAT or RULEBASE
From: [email protected]
Date: Tue, 3 Jul 2001 22:03:51 +0200
Cc: [email protected]
Sender: [email protected]


Paul, pardon my jumping in and the sort of lengthy e-mail, but:

I have to agree, that NAT scenarios are not always that straight-forward:
Just yesterday I've been to a customer site, with FW-1 running on NT and
they have such a complicated bunch of NAT rules and such a large routing
table in NT, that for a while I sat there, puzzled by what I could gather
from the log. A single ping request generated no less than 4-6 log entries,
noting various address changes for source and destination.

The situation there is as follows: They have a VPN - not involving FW-1 -
via a Linux box and need to reach various networks of partner sites, all
using private IP ranges assigned by their ISP. Packets from the customer
LAN are hidden behind a single private "VPN"-IP (10.142.16.80), although
application servers belonging to the same network in addition have a
virtual NAT-ed address (also private) and a real address in the 100.100.0.0
network.

Here is an excpert from their routing table:

Active Routes:
Network   Destination        Netmask          Gateway       Interface
Metric
          0.0.0.0          0.0.0.0            194.139.xx.1   194.139.xx.2
  1
      10.126.18.0    255.255.255.0       10.142.16.65    10.142.16.66    1
      10.142.16.0  255.255.255.224       10.142.16.65    10.142.16.66    1
     10.142.16.64  255.255.255.192        10.142.16.66    10.142.16.66
  1
     10.142.16.66  255.255.255.255            127.0.0.1
127.0.0.1   1
     10.142.16.70  255.255.255.255       192.9.200.30   192.9.200.118    1
........
          10.142.16.80  255.255.255.255     192.9.200.30   192.9.200.118
  1
      10.254.16.0    255.255.255.0        10.142.16.65    10.142.16.66
  1
   10.255.255.255  255.255.255.255     10.142.16.66    10.142.16.66      1
      100.100.0.0      255.255.0.0        192.9.200.30   192.9.200.118
  1

194.139.xx.1= WAN-Interface, 10.142.16.65=VPN-Box,
10.142.16.66=VPN-Interface, 192.9.200.118=LAN-Interface

My task was to implement an address change for the 10.142.16.64 network
(and all partner networks), which had been a 10.129.52.64 network before.
At first I didn't add the routes for the server 10.142.16.70 and others (up
to *.73) since I reasoned, that this server has in reality a 100.100.0.0
address (for which there is a route) and when NAT  always happens last,
this shouldn't be necessary. But somehow in this particular case it seems
as if the routing happens BEFORE NAT, because I couldn't reach the *.70
host before adding this particular route using their internal switch
(192.9.200.30) as the gateway.

I am still not quite sure, if I drew the right conclusions...or why it
really works as it does <s>

Do you probably have a different take on this?? Or anyone else?

Any opinion would be welcome!

Best regards
Ralf Guenthner






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] HTTP CRL Lists
Next by Date: RE: [FW1] IP 51 and 50
Previous by thread: [FW1] HTTP CRL Lists
Next by thread: RE: [FW1] disable ICQ
Index(es):
- Date
- Thread