Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] hide & static NAT on AIX FW1 4.1

To: [email protected]
Subject: [FW-1] hide & static NAT on AIX FW1 4.1
From: Jan Lac <[email protected]>
Date: Thu, 11 Oct 2001 17:48:54 +0200
Comments: To: "[email protected]" <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi All,

We seem not to understand fully how to combine hidden and static NAT (on two
different interfaces). We would greatly appreciate if somebody of you could
answer a few questions stated below.

We would like to use hide NAT for our LAN and static NAT for the DMZ. Our
configuration of AIX FW-1 v4.1 looks as follows:

              Internet
                |
                |
        -------------------------------------
        |                       |
        |          192.168.192.1        |------------------ DMZ
---(192.168.192.0)  ----------
        |                       |       |           |
        |       10.1.2.1                |       |       HTTP 192.168.192.2
-> static -> 144.144.111.195
        -------------------------------------           |
                |               SMTP 192.168.192.3 -> static->
144.144.111.196
                |
                |
                |
         LAN (10.1.2.0)   -> Hide -> 144.144.111.129


The NAT was implemented using the NAT option in the workstation/network
objects definitions. I.e. the automatic NAT rules were created.

Routing en the ARP seem to be OK - we do can communicate with the Internet
and our LAN is seen from outside as 144.144.111.129.

However, we can not establish a connection to our DMZ. In the FW log we see
packets destined for the DMZ as being accepted at the corresponding
interfaces (security rules applied eitherbound). We do not see anything
being dropped.

Using a network sniffer in the DMZ we see a SYN packet for e.g. a HTTP
server (DST: 192.168.192.2) and its SYN/ACK response (DST: 144.144.111.129).
The packet sniffer at the external route to the Internet does not see any
inappropriate packets (i.e. originated in the DMZ and destined for the LAN).
Yet another clue indicating that our routing is OK.

However, all the SYN/ACK packets are mysteriously disappearing somewhere
at/in the firewall...

>From the above and from reading info available tu us (docs, phoneboy and
checkpoint sites) we conlude that, unless we are still missing something,
the automatic NAT rules are incomplete.

The questions:

1) Can we use the automatic NAT rules and then before these insert a manual
NAT rule (in
case of the HTTP server):

        ORIGINAL                                TRANSLATED
  SRC           DST         SERVICE          SRC                        DST
SERVICE
10.1.2.0            144.144.111.195      any    144.144.111.129(H)
192.168.192.2   original

2) Alternatively - do we need to use the full manual NAT configuration
instead?

3) Normally we do see dropped packets on the rule 0 if anti-spoofing reacts.
Now, we do not see any drops. Can we conclude from this that anti-spoofing
is happy with this NAT configuration?

4) Do we need to exclude the FW LAN interface (10.1.2.1) from the hidden NAT
range?

NB. The IP numbers are completely fictituous, of course, but the mapping
schemes are preserved.

Thank you very much in advance.

Best Regards,

Jan Lac

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW-1] User interface
Next by Date: [FW-1] SecureRemote and Assigned IPs
Previous by thread: Re: [FW-1] IP Pool NAT for SecuRemote users with LinkSys Routers
Next by thread: [FW-1] SecureRemote and Assigned IPs
Index(es):
- Date
- Thread