NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] FW1 v4.1 on NT 4, Single external IP

Title: RE: [FW-1] FW1 v4.1 on NT 4, Single external IP
Ok for more than 1 IP address your solution is the same as me: It work's as long as there
is a router between the Firewall and the internal servers
 
For one 1 IP, or more than one if no router, i suppose you mean HTTP_MAPPED, FTP_MAPPED and
SMTP MAPPED services because with ressource only SMTP permit me to specify a SMTP server to
forward the traffic, i don't see how HTTP and FTP ressources can help to redirect traffic.
 
Even if the service for which i need it are not HTTP, FTP or SMTP i will do a test on
those using the MAPPED services...
 
Yves Belle-Isle
----- Original Message -----
Sent: Friday, November 02, 2001 18:36
Subject: Re: [FW-1] FW1 v4.1 on NT 4, Single external IP

I'm not sure I follow what everyone is talking about here.  If you only have one external IP, which is by necessity physically bound to the adapter, inbound NAT rules will not work (you cannot proxy arp your real IP on Solaris or NT/2000 - if the address is bound to the adapter, the stack has no reason to route it elsewhere - it just passes it up the stack).  So, the way to accomplish this, since Cisco-style portmaps don't work, is to use resource rules.  For example, create a resource for HTTP, another for FTP, and another for SMTP.  Create three rules using these resources (source = any, dest = firewall, service = URI resource ... etc.).  Your firewall will essentially proxy these connections, such that the logs on your internal http, ftp, and smtp servers will show the source as the internal IP of the firewall (this is not necessarily desirable, but that comes with the territory).  If you need services other than these three, you need more IPs (see below).

If you have more than 1 IP, all these issues go away, and you can redirect ports to your heart's content with NAT (as long as your route statement specifies a next-hop internal router that knows how to get to all your internal servers).

HTH - please post if I've missed the point somewhere...

Dan Hitchcock

-----Original Message-----
From: Yves Belle-Isle [mailto:[email protected]]
Sent: Friday, November 02, 2001 1:43 PM
To: [email protected]
Subject: Re: [FW-1] FW1 v4.1 on NT 4, Single external IP


Can you explain please how "address translation" can help ? The normal
solution already use "address translation" via NAT.

In my solution i NAT the external address to two internal address based
on service (21/FTP and 80/HTTP) but how do you setup the necessary
routing in Windows NT ?

If you have a working solution not involving a router between the FW-1
and the internal servers it would be great because i want to implement it,
like , and i can't.

P.S. Seems that FW-1 2000 (4.1 SP1+) should be not existant in NG because
     i read the NAT is done at the input interface, not the server side
     interface, so all the rule are build around the internal address
     i suppose so if i change ISP and external IP address i don't need
     to change all the rules and i don't need to add a route in NT because
     when the routing will be done, the adress will have been already
     translated to the internal address...


At 15:46 2001-11-02 -0500, Juan Concepcion wrote:
>You could also use address translation to get this accomplished.
>
>Yves Belle-Isle wrote:
>
>> Yes in the followin configuration:
>>
>>             Internet 129.1.1.1
>>                |
>>                .
>>               / \
>>              /   \
>>             /     \
>>            / FW-1  \
>>           /         \
>>          +-----------+
>>                | 192.168.1.1
>>                | 192.168.1.2
>>          +-----------+
>>          |   Router  |
>>          +-----------+
>>                | 10.1.1.1
>>               / \
>>              /   \
>>           FTP    HTTP servers
>>      10.1.1.2    10.1.1.3
>>
>> You do a route add -p 129.1.1.1 mask 255.255.255.255 192.168.1.2
>> and the router will dispatch it to 10.1.1.2 or 10.1.1.3 because the
>> FW-1 send the packet to 10.1.1.2 or 10.1.3 depending on port (21 or 80)
>>
>> NO in the followin configuration:
>>
>>             Internet 129.1.1.1
>>                |
>>                .
>>               / \
>>              /   \
>>             /     \
>>            / FW-1  \
>>           /         \
>>          +-----------+
>>                | 10.1.1.1
>>               / \
>>              /   \
>>           FTP    HTTP servers
>>      10.1.1.2    10.1.1.3
>>
>> It's because you need to use the Windows NT routing and you can't use the
>> following syntax:
>>
>> route add -p 129.1.1.1:21 mask 255.255.255.255 10.1.1.2
>> route add -p 129.1.1.1:80 mask 255.255.255.255 10.1.1.3
>>
>> You can route on a port basic, just IP address basic...
>>
>> At 12:43 2001-11-02 -0500, Tom Sevy wrote:
>> >Is there a way in this scenario to route inwards by port/service?
>> >
>> >Singled External IP address on the FW, multiple internal IP addresses.
>> >Map/route inbound FTP to one server, inbound HTTP to another?


------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
Responsable des Systemes                Tel: 
Sogi Informatique Ltee.                 Fax: 
------------------------------------------------------------

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.