NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] NAT and anti-spoofing



Howdy,

ok, this is a tricky one :-)
I have a configuration which -sort of- looks like this:

            net A - 10.0.0.0
                    |
                    |
                ----------
                |firewall| ..... 'virtual' net D 10.1.1.0
                |        |
                |        |--- net E 192.168.3.0
                ----------
                    |
                    |
           net B - 192.168.1.0
                    |
                    |
                ----------
                | router |
                ----------
                    |
                    |
           net C - 192.168.2.0


- net A is a world-wide WAN which does not know about net B
or net C.  However we have a subnet D of net A which we use
for NAT everything that needs access to net A.
- net C does not know about net A (router is not under our control).
  net C does know the way to net E
- The anti-spoofing settings say that valid addresses for net A interface
are 10.x.x.x

a machine on net C (say: Charlie, 192.168.2.1) needs to contact a
server on net A (say: Alice, 10.2.2.2). Since net C does not know about
net A, I took an address on net E (say: Ed, 192.168.3.1) and one
on net D known by net A (say; Dany, 10.1.1.1) and created
a NAT rule which says:

src: Charlie, dst: Ed,    prot: any
        --- translate to -->
src: Dany (hide), dst: Alice (static), prot: original

Anybody still following? :-)

Now if I make a connection from Charlie to Ed (hoping to end
op on Alice), the connection is rejected on the outgoing net A
interface based on rule 0, meaning anti-spoofing rules.


I have another rule saying

src: net B, dst: net A, prot: any
       --- translate to -->
src: 10.1.1.2 (hide), dst: orig, prot: original

that one works without problems.

Any idea how I can fix the problem (except for turning of anti-spoofing
rules which is not an option)

thanks in advance,

Nico







---------------------------------------------------------
 "It has been said that there are only two businesses that
  refer to customers as users: illegal drug trade and
               the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.