[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] UDP natting problem
Hi, check out http://www.securityportal.com/list-archive/fw1/2001/May/0432.html maybe this solves your problem. Unfortunaly the list is currently down, but I hope it will be in the next time again online. best regards Daniel -----Original Message----- From: Michael Haller [mailto:[email protected]] Sent: Wednesday, October 24, 2001 3:15 PM To: [email protected] Subject: [FW-1] UDP natting problem Hi, We're trying to demo client-server software which crosses our firewall (and the atlantic). All communication is by UDP packets. The machine we're setting the demo up on is a machine on our internal network (which is a 172.18.0.0 net). This machine is called int_ip. To allow connections to this machine our ISP has added a routable IP with the DNS entry ext_ip at their site. I've created a network workstation object for this machine and set it to have static natting for the ext_ip. I've added a rule which enables UDP high ports and certain other services to/from the int_ip. And it works...in general. I can ping external machines which see the pings coming from ext_ip and not int_ip. If I snoop on the internal interface of the firewall I see the pings coming from int_ip. If I snoop on the external interface I see the pings coming from ext_ip. Other services, like ssh, work fine too. The problem occurs when we start the demo. When the demo starts up (on int_ip) it sends a packet on port 3111 (say). The server sees this packet coming from ext_ip (good). It sends an ack and tells the client (at ext_ip) to start sending to port 3112 (say). The client (int_ip) see this and starts sending to port 3112. This is where the problem begins. The firewall doesn't seem to nat the packets sent to port 3112. Snooping the firewall interfaces: the internal interface shows all UDP for both 3111 and 3112 coming from int_ip. The external interface shows all UDP to 3111 as coming from ext_ip but all UDP for 3112 as coming from int_ip. It seems the firewall gets confused when the client starts sending to a new port. Just to reiterate, the ports don't seem to be the problem themselves. It is when an existing client starts sending to a new port. No natting occurs on the packets for the new port. Any clues as to what might be wrong? Many thanks, - Michael =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|