[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] what occurs first NAT or RULEBASE
Paul, pardon my jumping in and the sort of lengthy e-mail, but: I have to agree, that NAT scenarios are not always that straight-forward: Just yesterday I've been to a customer site, with FW-1 running on NT and they have such a complicated bunch of NAT rules and such a large routing table in NT, that for a while I sat there, puzzled by what I could gather from the log. A single ping request generated no less than 4-6 log entries, noting various address changes for source and destination. The situation there is as follows: They have a VPN - not involving FW-1 - via a Linux box and need to reach various networks of partner sites, all using private IP ranges assigned by their ISP. Packets from the customer LAN are hidden behind a single private "VPN"-IP (10.142.16.80), although application servers belonging to the same network in addition have a virtual NAT-ed address (also private) and a real address in the 100.100.0.0 network. Here is an excpert from their routing table: Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 194.139.xx.1 194.139.xx.2 1 10.126.18.0 255.255.255.0 10.142.16.65 10.142.16.66 1 10.142.16.0 255.255.255.224 10.142.16.65 10.142.16.66 1 10.142.16.64 255.255.255.192 10.142.16.66 10.142.16.66 1 10.142.16.66 255.255.255.255 127.0.0.1 127.0.0.1 1 10.142.16.70 255.255.255.255 192.9.200.30 192.9.200.118 1 ........ 10.142.16.80 255.255.255.255 192.9.200.30 192.9.200.118 1 10.254.16.0 255.255.255.0 10.142.16.65 10.142.16.66 1 10.255.255.255 255.255.255.255 10.142.16.66 10.142.16.66 1 100.100.0.0 255.255.0.0 192.9.200.30 192.9.200.118 1 194.139.xx.1= WAN-Interface, 10.142.16.65=VPN-Box, 10.142.16.66=VPN-Interface, 192.9.200.118=LAN-Interface My task was to implement an address change for the 10.142.16.64 network (and all partner networks), which had been a 10.129.52.64 network before. At first I didn't add the routes for the server 10.142.16.70 and others (up to *.73) since I reasoned, that this server has in reality a 100.100.0.0 address (for which there is a route) and when NAT always happens last, this shouldn't be necessary. But somehow in this particular case it seems as if the routing happens BEFORE NAT, because I couldn't reach the *.70 host before adding this particular route using their internal switch (192.9.200.30) as the gateway. I am still not quite sure, if I drew the right conclusions...or why it really works as it does <s> Do you probably have a different take on this?? Or anyone else? Any opinion would be welcome! Best regards Ralf Guenthner ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|