Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] UDP natting problem

To: [email protected]
Subject: [FW-1] UDP natting problem
From: Michael Haller <[email protected]>
Date: Wed, 24 Oct 2001 14:15:14 +0100
Organization: LION Bioscience Ltd
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi,

We're trying to demo client-server software which crosses our firewall (and the
atlantic).  All communication is by UDP packets.

The machine we're setting the demo up on is a machine on our internal
network (which is a 172.18.0.0 net).  This machine is called int_ip.
To allow connections to this machine our ISP has added a routable IP
with the DNS entry ext_ip at their site.

I've created a network workstation object for this machine and set it to
have static natting for the ext_ip.  I've added a rule which enables UDP
high ports and certain other services to/from the int_ip.

And it works...in general.  I can ping external machines which see the
pings coming from ext_ip and not int_ip.  If I snoop on the internal
interface of the firewall I see the pings coming from int_ip.  If
I snoop on the external interface I see the pings coming from ext_ip.
Other services, like ssh, work fine too.

The problem occurs when we start the demo.  When the demo starts up
(on int_ip) it sends a packet on port 3111 (say).  The server
sees this packet coming from ext_ip (good).  It sends an ack and tells
the client (at ext_ip) to start sending to port 3112 (say).  The client
(int_ip) see this and starts sending to port 3112.  This is where the
problem begins.  The firewall doesn't seem to nat the packets sent to
port 3112.

Snooping the firewall interfaces:  the internal interface shows all
UDP for both 3111 and 3112 coming from int_ip.  The external interface
shows all UDP to 3111 as coming from ext_ip but all UDP for 3112 as
coming from int_ip.

It seems the firewall gets confused when the client starts sending to
a new port.  Just to reiterate, the ports don't seem to be the problem
themselves.  It is when an existing client starts sending to a new port.
No natting occurs on the packets for the new port.

Any clues as to what might be wrong?

Many thanks,

        - Michael

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: Re: [FW-1] FW-1 behind ADSL
Next by Date: [FW-1] where to download the gui clients?
Previous by thread: Re: [FW-1] FW-1 behind ADSL
Next by thread: Re: [FW-1] UDP natting problem
Index(es):
- Date
- Thread