[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW-1] AW: [FW-1] NAT and anti-spoofing
Title: AW: [FW-1] NAT and anti-spoofing
How can this be? Spoofing is about the source address, not the destination address. I think it would be helpful to see Your spoofing settings for all interfaces.
-&
> -----Ursprüngliche Nachricht-----
> Von: Xena Warrior [mailto:[email protected]]
> Gesendet am: Samstag, 23. Februar 2002 12:52
> An: [email protected]
> Betreff: Re: [FW-1] NAT and anti-spoofing
>
> I believe the problem with the first NAT rule is that
> the anti-spoofing check on the interior Interface of
> FW on NET A is seeing the Destination Address of
> 192.168.3.1 which has not been identified as a Valid
> Address. ( The Destination Address Translation to
> Alice's IP is the LAST thing done before sending to
> Alice). Build a Workstation object for Ed
> (192.168.3.1) then change the Valid Addresses on NET
> A's interface to be SPECIFIC > Build a group object
> that consists of NET A and the new ED workstation
> object.
>
> Hope this helps
>
>
> --- Nico De Ranter <[email protected]> wrote:
> > Howdy,
> >
> > ok, this is a tricky one :-)
> > I have a configuration which -sort of- looks like
> > this:
> >
> > net A - 10.0.0.0
> > |
> > |
> > ----------
> > |firewall| ..... 'virtual' net D
> > 10.1.1.0
> > | |
> > | |--- net E 192.168.3.0
> > ----------
> > |
> > |
> > net B - 192.168.1.0
> > |
> > |
> > ----------
> > | router |
> > ----------
> > |
> > |
> > net C - 192.168.2.0
> >
> >
> > - net A is a world-wide WAN which does not know
> > about net B
> > or net C. However we have a subnet D of net A which
> > we use
> > for NAT everything that needs access to net A.
> > - net C does not know about net A (router is not
> > under our control).
> > net C does know the way to net E
> > - The anti-spoofing settings say that valid
> > addresses for net A interface
> > are 10.x.x.x
> >
> > a machine on net C (say: Charlie, 192.168.2.1) needs
> > to contact a
> > server on net A (say: Alice, 10.2.2.2). Since net C
> > does not know about
> > net A, I took an address on net E (say: Ed,
> > 192.168.3.1) and one
> > on net D known by net A (say; Dany, 10.1.1.1) and
> > created
> > a NAT rule which says:
> >
> > src: Charlie, dst: Ed, prot: any
> > --- translate to -->
> > src: Dany (hide), dst: Alice (static), prot:
> > original
> >
> > Anybody still following? :-)
> >
> > Now if I make a connection from Charlie to Ed
> > (hoping to end
> > op on Alice), the connection is rejected on the
> > outgoing net A
> > interface based on rule 0, meaning anti-spoofing
> > rules.
> >
> >
> > I have another rule saying
> >
> > src: net B, dst: net A, prot: any
> > --- translate to -->
> > src: 10.1.1.2 (hide), dst: orig, prot: original
> >
> > that one works without problems.
> >
> > Any idea how I can fix the problem (except for
> > turning of anti-spoofing
> > rules which is not an option)
> >
> > thanks in advance,
> >
> > Nico
> >
> >
> >
> >
> >
> >
> >
> >
> ---------------------------------------------------------
> > "It has been said that there are only two
> > businesses that
> > refer to customers as users: illegal drug trade
> > and
> > the computer industry."
> >
> ---------------------------------------------------------
> > Nico De Ranter
> > Sony Service Center (SDCE/VPE-B)
> > Sint Stevens Woluwestraat 55 (Rue de
> > Woluwe-Saint-Etienne)
> > 1130 Brussel (Bruxelles), Belgium, Europe, Earth
> > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> > e-mail: [email protected]
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>