NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] AW: [FW-1] NAT and anti-spoofing



Title: AW: [FW-1] NAT and anti-spoofing

How can this be? Spoofing is about the source address, not the destination address. I think it would be helpful to see Your spoofing settings for all interfaces.

                -&


> -----Ursprüngliche Nachricht-----
> Von: Xena Warrior [mailto:[email protected]]
> Gesendet am: Samstag, 23. Februar 2002 12:52
> An: [email protected]
> Betreff: Re: [FW-1] NAT and anti-spoofing
>
> I believe the problem with the first NAT rule is that
> the anti-spoofing check on the interior Interface  of
> FW on NET A is seeing the Destination Address of
> 192.168.3.1  which has not been identified as a Valid
> Address.  ( The Destination Address Translation to
> Alice's IP is the LAST thing done before sending to
> Alice).  Build a Workstation object for Ed
> (192.168.3.1) then change the Valid Addresses on NET
> A's interface to be SPECIFIC > Build a group object
> that consists of NET A and the new ED workstation
> object.
>
> Hope this helps
>
>
> --- Nico De Ranter <[email protected]> wrote:
> > Howdy,
> >
> > ok, this is a tricky one :-)
> > I have a configuration which -sort of- looks like
> > this:
> >
> >             net A - 10.0.0.0
> >                     |
> >                     |
> >                 ----------
> >                 |firewall| ..... 'virtual' net D
> > 10.1.1.0
> >                 |        |
> >                 |        |--- net E 192.168.3.0
> >                 ----------
> >                     |
> >                     |
> >            net B - 192.168.1.0
> >                     |
> >                     |
> >                 ----------
> >                 | router |
> >                 ----------
> >                     |
> >                     |
> >            net C - 192.168.2.0
> >
> >
> > - net A is a world-wide WAN which does not know
> > about net B
> > or net C.  However we have a subnet D of net A which
> > we use
> > for NAT everything that needs access to net A.
> > - net C does not know about net A (router is not
> > under our control).
> >   net C does know the way to net E
> > - The anti-spoofing settings say that valid
> > addresses for net A interface
> > are 10.x.x.x
> >
> > a machine on net C (say: Charlie, 192.168.2.1) needs
> > to contact a
> > server on net A (say: Alice, 10.2.2.2). Since net C
> > does not know about
> > net A, I took an address on net E (say: Ed,
> > 192.168.3.1) and one
> > on net D known by net A (say; Dany, 10.1.1.1) and
> > created
> > a NAT rule which says:
> >
> > src: Charlie, dst: Ed,    prot: any
> >         --- translate to -->
> > src: Dany (hide), dst: Alice (static), prot:
> > original
> >
> > Anybody still following? :-)
> >
> > Now if I make a connection from Charlie to Ed
> > (hoping to end
> > op on Alice), the connection is rejected on the
> > outgoing net A
> > interface based on rule 0, meaning anti-spoofing
> > rules.
> >
> >
> > I have another rule saying
> >
> > src: net B, dst: net A, prot: any
> >        --- translate to -->
> > src: 10.1.1.2 (hide), dst: orig, prot: original
> >
> > that one works without problems.
> >
> > Any idea how I can fix the problem (except for
> > turning of anti-spoofing
> > rules which is not an option)
> >
> > thanks in advance,
> >
> > Nico
> >
> >
> >
> >
> >
> >
> >
> >
> ---------------------------------------------------------
> >  "It has been said that there are only two
> > businesses that
> >   refer to customers as users: illegal drug trade
> > and
> >                the computer industry."
> >
> ---------------------------------------------------------
> > Nico De Ranter
> > Sony Service Center (SDCE/VPE-B)
> > Sint Stevens Woluwestraat 55 (Rue de
> > Woluwe-Saint-Etienne)
> > 1130 Brussel (Bruxelles), Belgium, Europe, Earth
> > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> > e-mail: [email protected]
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.