[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] NAT and anti-spoofing
Howdy, ok, this is a tricky one :-) I have a configuration which -sort of- looks like this: net A - 10.0.0.0 | | ---------- |firewall| ..... 'virtual' net D 10.1.1.0 | | | |--- net E 192.168.3.0 ---------- | | net B - 192.168.1.0 | | ---------- | router | ---------- | | net C - 192.168.2.0 - net A is a world-wide WAN which does not know about net B or net C. However we have a subnet D of net A which we use for NAT everything that needs access to net A. - net C does not know about net A (router is not under our control). net C does know the way to net E - The anti-spoofing settings say that valid addresses for net A interface are 10.x.x.x a machine on net C (say: Charlie, 192.168.2.1) needs to contact a server on net A (say: Alice, 10.2.2.2). Since net C does not know about net A, I took an address on net E (say: Ed, 192.168.3.1) and one on net D known by net A (say; Dany, 10.1.1.1) and created a NAT rule which says: src: Charlie, dst: Ed, prot: any --- translate to --> src: Dany (hide), dst: Alice (static), prot: original Anybody still following? :-) Now if I make a connection from Charlie to Ed (hoping to end op on Alice), the connection is rejected on the outgoing net A interface based on rule 0, meaning anti-spoofing rules. I have another rule saying src: net B, dst: net A, prot: any --- translate to --> src: 10.1.1.2 (hide), dst: orig, prot: original that one works without problems. Any idea how I can fix the problem (except for turning of anti-spoofing rules which is not an option) thanks in advance, Nico --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|