----- Original Message -----
Sent: Monday, February 25, 2002 1:07
AM
Subject: [FW-1] AW: [FW-1] NAT and
anti-spoofing
How can this be? Spoofing is about the source address, not the
destination address. I think it would be helpful to see Your spoofing settings
for all interfaces.
-&
> -----Ursprüngliche Nachricht-----
> Von: Xena Warrior [mailto:[email protected]]
> Gesendet am: Samstag, 23. Februar 2002 12:52
> An: [email protected]
> Betreff: Re: [FW-1] NAT and anti-spoofing
>
> I believe the problem with
the first NAT rule is that
> the anti-spoofing
check on the interior Interface of
> FW on
NET A is seeing the Destination Address of
>
192.168.3.1 which has not been identified as a Valid
> Address. ( The Destination Address Translation to
> Alice's IP is the LAST thing done before sending
to
> Alice). Build a Workstation object for
Ed
> (192.168.3.1) then change the Valid Addresses
on NET
> A's interface to be SPECIFIC > Build a
group object
> that consists of NET A and the new
ED workstation
> object.
>
> Hope this helps
>
>
> --- Nico
De Ranter <[email protected]> wrote:
> >
Howdy,
> >
> > ok,
this is a tricky one :-)
> > I have a
configuration which -sort of- looks like
> >
this:
> >
>
>
net A - 10.0.0.0
>
>
|
>
>
|
>
>
----------
>
>
|firewall| ..... 'virtual' net D
> >
10.1.1.0
>
>
| |
>
>
| |--- net E 192.168.3.0
>
>
----------
>
>
|
>
>
|
>
> net B -
192.168.1.0
>
>
|
>
>
|
>
>
----------
>
>
| router |
>
>
----------
>
>
|
>
>
|
>
> net C -
192.168.2.0
> >
>
>
> > - net A is a world-wide WAN which does
not know
> > about net B
> > or net C. However we have a subnet D of net A
which
> > we use
>
> for NAT everything that needs access to net A.
> > - net C does not know about net A (router is not
> > under our control).
>
> net C does know the way to net E
>
> - The anti-spoofing settings say that valid
>
> addresses for net A interface
> > are
10.x.x.x
> >
> > a
machine on net C (say: Charlie, 192.168.2.1) needs
> > to contact a
> > server on net
A (say: Alice, 10.2.2.2). Since net C
> > does
not know about
> > net A, I took an address on
net E (say: Ed,
> > 192.168.3.1) and one
> > on net D known by net A (say; Dany, 10.1.1.1)
and
> > created
>
> a NAT rule which says:
> >
> > src: Charlie, dst: Ed, prot: any
> > ---
translate to -->
> > src: Dany (hide), dst:
Alice (static), prot:
> > original
> >
> > Anybody still
following? :-)
> >
>
> Now if I make a connection from Charlie to Ed
> > (hoping to end
> > op on
Alice), the connection is rejected on the
> >
outgoing net A
> > interface based on rule 0,
meaning anti-spoofing
> > rules.
> >
> >
> > I have another rule saying
>
>
> > src: net B, dst: net A, prot:
any
>
> --- translate to -->
> > src: 10.1.1.2 (hide), dst: orig, prot:
original
> >
> >
that one works without problems.
> >
> > Any idea how I can fix the problem (except
for
> > turning of anti-spoofing
> > rules which is not an option)
> >
> > thanks in advance,
> >
> > Nico
> >
> >
> >
> >
> >
> >
> >
> >
> ---------------------------------------------------------
> > "It has been said that there are only
two
> > businesses that
> > refer to customers as users: illegal drug
trade
> > and
>
>
the computer industry."
> >
> ---------------------------------------------------------
> > Nico De Ranter
> >
Sony Service Center (SDCE/VPE-B)
> > Sint
Stevens Woluwestraat 55 (Rue de
> >
Woluwe-Saint-Etienne)
> > 1130 Brussel
(Bruxelles), Belgium, Europe, Earth
> >
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> > e-mail: [email protected]
> >
> >
=================================================
>
> To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> >
=================================================
>
> To unsubscribe from this mailing list,
> >
please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
=================================================
>
> If you have any questions on how to change your
> > subscription options, email
> >
[email protected]
> >
=================================================
>
>
>
__________________________________________________
> Do You Yahoo!?
> Yahoo! Sports -
Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
>
>
=================================================
>
To set vacation, Out Of Office, or away messages,
>
send an email to [email protected]
>
in the BODY of the email add:
> set
fw-1-mailinglist nomail
>
=================================================
>
To unsubscribe from this mailing list,
> please see
the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
>
[email protected]
>
=================================================
>