----- Original Message -----
Sent: Friday, November 02, 2001
18:36
Subject: Re: [FW-1] FW1 v4.1 on NT 4,
Single external IP
I'm not sure I follow what everyone is talking about
here. If you only have one external IP, which is by necessity physically
bound to the adapter, inbound NAT rules will not work (you cannot proxy arp
your real IP on Solaris or NT/2000 - if the address is bound to the adapter,
the stack has no reason to route it elsewhere - it just passes it up the
stack). So, the way to accomplish this, since Cisco-style portmaps don't
work, is to use resource rules. For example, create a resource for HTTP,
another for FTP, and another for SMTP. Create three rules using these
resources (source = any, dest = firewall, service = URI resource ...
etc.). Your firewall will essentially proxy these connections, such that
the logs on your internal http, ftp, and smtp servers will show the source as
the internal IP of the firewall (this is not necessarily desirable, but that
comes with the territory). If you need services other than these three,
you need more IPs (see below).
If you have more than 1 IP, all these issues go away, and you
can redirect ports to your heart's content with NAT (as long as your route
statement specifies a next-hop internal router that knows how to get to all
your internal servers).
HTH - please post if I've missed the point somewhere...
Dan Hitchcock
-----Original Message-----
From: Yves
Belle-Isle [mailto:[email protected]]
Sent: Friday, November 02, 2001 1:43 PM
To: [email protected]
Subject: Re: [FW-1] FW1 v4.1 on NT 4, Single external IP
Can you explain please how "address translation" can help ?
The normal
solution already use "address translation"
via NAT.
In my solution i NAT the external address to two internal
address based
on service (21/FTP and 80/HTTP) but how
do you setup the necessary
routing in Windows NT
?
If you have a working solution not involving a router between
the FW-1
and the internal servers it would be great
because i want to implement it,
like , and i
can't.
P.S. Seems that FW-1 2000 (4.1 SP1+) should be not existant in
NG because
i read the NAT is
done at the input interface, not the server side
interface, so all the rule are build around
the internal address
i
suppose so if i change ISP and external IP address i don't need
to change all the rules and i don't
need to add a route in NT because
when the routing will be done, the adress will
have been already
translated
to the internal address...
At 15:46 2001-11-02 -0500, Juan Concepcion wrote:
>You could also use address translation to get this
accomplished.
>
>Yves
Belle-Isle wrote:
>
>> Yes in the followin configuration:
>>
>>
Internet 129.1.1.1
>>
|
>>
.
>>
/ \
>>
/ \
>>
/ \
>>
/ FW-1 \
>>
/ \
>>
+-----------+
>>
| 192.168.1.1
>>
| 192.168.1.2
>>
+-----------+
>>
| Router |
>>
+-----------+
>>
| 10.1.1.1
>>
/ \
>>
/ \
>>
FTP HTTP servers
>> 10.1.1.2
10.1.1.3
>>
>> You
do a route add -p 129.1.1.1 mask 255.255.255.255 192.168.1.2
>> and the router will dispatch it to 10.1.1.2 or 10.1.1.3
because the
>> FW-1 send the packet to 10.1.1.2
or 10.1.3 depending on port (21 or 80)
>>
>> NO in the followin configuration:
>>
>>
Internet 129.1.1.1
>>
|
>>
.
>>
/ \
>>
/ \
>>
/ \
>>
/ FW-1 \
>>
/ \
>>
+-----------+
>>
| 10.1.1.1
>>
/ \
>>
/ \
>>
FTP HTTP servers
>> 10.1.1.2
10.1.1.3
>>
>>
It's because you need to use the Windows NT routing and you can't use
the
>> following syntax:
>>
>> route add -p 129.1.1.1:21
mask 255.255.255.255 10.1.1.2
>> route add -p
129.1.1.1:80 mask 255.255.255.255 10.1.1.3
>>
>> You can route on a port
basic, just IP address basic...
>>
>> At 12:43 2001-11-02 -0500, Tom Sevy wrote:
>> >Is there a way in this scenario to route inwards
by port/service?
>> >
>> >Singled External IP address on the FW, multiple internal
IP addresses.
>> >Map/route inbound FTP to
one server, inbound HTTP to another?
------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI
YB17 Email: [email protected]
Responsable des
Systemes
Tel:
Sogi Informatique
Ltee.
Fax:
------------------------------------------------------------
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================