[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] hide & static NAT on AIX FW1 4.1
Hi All, We seem not to understand fully how to combine hidden and static NAT (on two different interfaces). We would greatly appreciate if somebody of you could answer a few questions stated below. We would like to use hide NAT for our LAN and static NAT for the DMZ. Our configuration of AIX FW-1 v4.1 looks as follows: Internet | | ------------------------------------- | | | 192.168.192.1 |------------------ DMZ ---(192.168.192.0) ---------- | | | | | 10.1.2.1 | | HTTP 192.168.192.2 -> static -> 144.144.111.195 ------------------------------------- | | SMTP 192.168.192.3 -> static-> 144.144.111.196 | | | LAN (10.1.2.0) -> Hide -> 144.144.111.129 The NAT was implemented using the NAT option in the workstation/network objects definitions. I.e. the automatic NAT rules were created. Routing en the ARP seem to be OK - we do can communicate with the Internet and our LAN is seen from outside as 144.144.111.129. However, we can not establish a connection to our DMZ. In the FW log we see packets destined for the DMZ as being accepted at the corresponding interfaces (security rules applied eitherbound). We do not see anything being dropped. Using a network sniffer in the DMZ we see a SYN packet for e.g. a HTTP server (DST: 192.168.192.2) and its SYN/ACK response (DST: 144.144.111.129). The packet sniffer at the external route to the Internet does not see any inappropriate packets (i.e. originated in the DMZ and destined for the LAN). Yet another clue indicating that our routing is OK. However, all the SYN/ACK packets are mysteriously disappearing somewhere at/in the firewall... >From the above and from reading info available tu us (docs, phoneboy and checkpoint sites) we conlude that, unless we are still missing something, the automatic NAT rules are incomplete. The questions: 1) Can we use the automatic NAT rules and then before these insert a manual NAT rule (in case of the HTTP server): ORIGINAL TRANSLATED SRC DST SERVICE SRC DST SERVICE 10.1.2.0 144.144.111.195 any 144.144.111.129(H) 192.168.192.2 original 2) Alternatively - do we need to use the full manual NAT configuration instead? 3) Normally we do see dropped packets on the rule 0 if anti-spoofing reacts. Now, we do not see any drops. Can we conclude from this that anti-spoofing is happy with this NAT configuration? 4) Do we need to exclude the FW LAN interface (10.1.2.1) from the hidden NAT range? NB. The IP numbers are completely fictituous, of course, but the mapping schemes are preserved. Thank you very much in advance. Best Regards, Jan Lac ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|