[FW1] [Total newbie alert] NAT without NAT ?!?

[stefmit@FW1-NOSPAMstarband.net]

	I have a question (more of an understanding of functionality issue) 
about FW-1 ver4.1, in regards to something having come up when I 
tried to debug an assumed network problem. Here is the 
environment: "three-leg" FW-1 setup (one leg internal, one DMZ, and 
one Internet). The problem I was having forced me to run Ethereal on 
one machine (the "client") placed internally (let's say 172.16.1.1) and 
also run Ethereal on the "server" located in the DMZ (let's say 
x.y.z.w), which the client has problems communicating with. Here is 
the (to me - the FW-1 newbie) strange problem:

- the trace taken on the machine inside shows communication 
between: 172.16.1.1 port "n" <---> x.y.z.w port 80
- the trace taken on the server shows communication between:
x.y.z.t port "m" <---> x.y.z.w port 80, where x.y.z.t is the DMZ 
interface address on the firewall, and port "m" is obviously other than 
"n" of the client!!!
- FW-1 has NO rule to NAT the internal machines!!!
- the access from the internal machine to DMZ is free!!!

	And here is my (again - apologies for not knowing FW-1) opinion: 
FW-1 should have behaved like a router, with replacement (obviusly) 
only of the MAC address of the DMZ interface, when allowing the 
internal client out on the DMZ (which is another subnet), but NOT the 
replacement IP and port ?!?! It looks to me like a router-like behavior 
is actually now behaving like a NAT and PAT ?!? Is there anything I 
am missing here?!?

TIA,
Stef



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================