NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Netbios NAT Issue (bug?) in NG



NG has a bug with NBT and NAT.  It is suppose to be fixed in NG FP2.

James
----- Original Message -----
From: <[email protected]>
To: <[email protected]>
Sent: Wednesday, January 30, 2002 4:01 PM
Subject: [FW-1] Netbios NAT Issue (bug?) in NG


> Hi everyone,
>
> We have an NG firewall with three legs, external, internal, and DMZ.
>
> Note - All IP's are fudgged.
>
> The DMZ leg is in a 192.168.50.x network.
> Two servers on it, dmz1 (192.168.50.10, Natted to 206.186.27.10) and dmz2
> (192.168.50.20, Natted to 206.186.27.20)
>
> Internal is 170.153.x.x.
>
> External is 206.186.27.x.
>
> We've got a few windows boxes in our DMZ and use static nat to nat them.
> They are visible to the outside world via their natted address.
>
> We have a PDC and WINS server in the internal network that the DMZ clients
> need to talk to for authentication and windows name resolution.
>
> The internal (170.153.x.x) clients and servers have routes to get to the
> DMZ systems via the firewall.  They can access the DMZ using the
> 192.168.50.x addresses.  Likewise, the DMZ systems know how to reach the
> internal systems using 170.153.x.x IP's.
>
> We have a rule that says basically
> Internal, DMZ -> DMZ, Internal : NBT : Accept
> This allows the DMZ systems to talk netbios type stuff with the PDC, WINS
> etc.
>
>
> Since we do static nat for the DMZ systems, we configure it on the NAT
tab.
> This would be fine, except that we don't want the DMZ -> Internal and
> Internal -> DMZ traffic to be natted, since they can all use the real
> addresses.  To fix this, we've got a rule in front of the auto generated
> rules that says DMZ -> Internal : Original -> Original, and Internal ->
DMZ
> : Original -> Original.  This works fine for all packets except when we
get
> into netbios name lookups.
>
>
> Here's the problem -
> Like I mentioned before, there's an Internal WINS server.   When a system
> on the DMZ, for example dmz1, tries to talk to dmz2 it queries the
internal
> WINS server 170.153.x.x for the IP address of dmz2.  The internal WINS
> server replies with info about dmz2, specifically a netbios name response.
> We've sniffed it, and can see that the server replies correctly with the
IP
> 192.168.50.20 in the payload.  Unfortunately the packet goes through the
> firewall and it's payload (NOT the IP header, src and dst are untouched)
is
> NATTED!  The paylod of the packet is the IP that I use in the automatic
NAT
> rule, not the IP of the server.  This is especially bad since I have
manual
> NAT rules above the Auto NAT rules.
>
> One solution I found was to re-create the NBT groups services, without the
> special protocol-type field setting.  (Typically, nbname has a protocol
> type of nbname, I change it to blank.).
>
> Any ideas would be welcome.
>
>
> Checkpoint - Can you add this to your bug list?
>
> John Delisle
> Corporate Technology
> Ceridian Canada Ltd
>>
>
>
> **********************************************************************
> This e-mail and any files transmitted with it are considered
> confidential and are intended solely for the use of the
> individual or entity to whom they are addressed (intended).
> This communication is subject to agent/client privilege.
> If you are not the intended recipient (received in error) or
> the person responsible for delivering the e-mail to the
> intended recipient, be advised that you have received this
> e-mail in error and that any use, dissemination, forwarding,
> printing or copying of this e-mail is strictly prohibited.  If
> you have received this e-mail in error please notify the
> sender immediately.
>
> **********************************************************************
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.