NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Strange NAT and packet transfer within Web server...



Title: Strange NAT and packet transfer within Web server...

Hi to all,

I' ve found such strange tracks while analyzing my CP 4.1 SP3.0 FW logs.

x.x.x.x    -  Our Firewall' s valid IP address for NAT. Outer interface ethernet IP.
y.y.y.y    -  An outsider's Internet IP
w.w.w.w  -  The valid IP of our Web Server (located in DMZ)


Origin       type  Action     Service  Source    Destin     proto  rule  S_port                        Xlate Source  Xlate Dst  Xlate SPort   Xlate DestPort    Info      

"x.x.x.x"     "log" "accept"   "1041"     "x.x.x.x"  "y.y.y.y"  "tcp"    "0"    "1026"  ""  ""  ""  ""  ""  "w.w.w.w"        "y.y.y.y"   "http"              "1041"                " len 40" 

I don' t feel myself completely all-right because,

1. it's accepted via rule 0, (In the FW policy - properties, I couldn' t find anything relevant...)

2. The source is FW' s IP, Destination is the outsider' s IP, Translated Source is Web Server's IP (howcome? There' s no such strange NAT definition in the FW rules...)

3. In some other similar logs, the Service, S_port and Xlate DestPort varies, but everytime, Xlate SPort is the same service port (http) (O.K., these transactions are related with Web Server's responses, thus http might be thought as normal. But what about the other port and services, are they selected by randomly by Firewall?) 


Is there anything unusual or suspicious? Especially, if the case is some packets being transferred to the outside world from our Web Server, I' m a bit more sensitive...




 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.