[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] How to NAT (both ports and adresses...?)
Title: RE: [FW1] How to NAT (both ports and adresses...?)
O.K. but before I try your solution, I' d like to ask one thing.
Peter,
In your solution,
Original Packet:
Source:60.x.x.x
Destin: 192.168.x.x
Service: TCP_port_1900
Translated Packet:
Source:60.x.x.x
Destin: Fake_NAT_Address [You'd have to set this up
first under Manage, Network Objects]
Service: Original
But in the translated packet, if the Service is
Service: Original
How will the service translation be accomplished? As I' ve mentioned in my question, I also want the service port to be translated to another irrelevant fake port. On the other hand, the real receiver 192.168.x.x listens on the real TCP_port_1900, how the packets shall reach to that port?
Thanx in advance...
Mete EMINAGAOGLU
-----Original Message-----
From: P L [mailto:[email protected]]
Sent: Friday, August 17, 2001 6:03 PM
To: METE EMINAGAOGLU (IT)
Subject: Re: [FW1] How to NAT (both ports and adresses...?)
You would set up NAT rules exactly as you would expect
them to look. In the Address Translation section of
your FW1 Security Policy program, set up a NAT rule
like this:
Original Packet:
Source:60.x.x.x
Destin: 192.168.x.x
Service: TCP_port_1900
Translated Packet:
Source:60.x.x.x
Destin: Fake_NAT_Address [You'd have to set this up
first under Manage, Network Objects]
Service: Original
NAT is pretty flexible. Note that you can only add
one object under Services, so if you want to NAT
multiple services with one rule, you can set up a
Group of Services [e.g. create a group that includes
TCP 1900 and TCP 1901].
NAT rules like other rules are processed top to
bottom, so if you have any other NAT rules that would
apply to this computer, you'd want to add this new
rule before that rule, maybe at the top of the list of
NAT rules.
Naturally, you have to write your own NAT rules to do
this. It won't work if you use the NAT checkbox in
the NAT section of the computer or network object to
allow FW-1 to write automatic NAT rules for you.
Hope this helps.
--- "METE EMINAGAOGLU (IT)" <[email protected]>
wrote:
> Hi to all...
>
> I have a bit of complex and perhaps weird problem,
> hence question. Any help,
> comment, suggestion is welcome. Thanx.
>
> Problem:
>
> A Server in my DMZ. Let's say 60.x.x.x
> Another Server in my LAN. Let's say 192.168.x.x
> A specific service on Real Port k. Let's say
> TCP_1900
>
> The original rule setting:
>
> Source:60.x.x.x
> Destin: 192.168.x.x
> Service: TCP_port_1900.
>
> Everythg. works fine.
>
> However, I want a new arrangement so that TCP_1900
> packets do not directly
> go from 60.x.x.x to 192.168.x.x. They are to be
> routed to any non-existent
> fake X-Server via a different NAT' ed fake port, say
> TCP_fake. Then, from
> X-Server to the target destin. 192.168.x.x in LAN,
> while also fake-port
> NAT' ed to the real TCP_1900.
>
> Using only a single FW, how could this be achieved?
> (What are the necessary
> rules and IP+service NAT' s?)
>
> If not possible by a single FW, then what is
> additionally required within
> the FW so as to establish the necessary solution?
>
>
>
> Mete EMINAGAOGLU
>
>
>
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
