Re: [FW-1] AW: [FW-1] NAT and anti-spoofing

[Cryptotech <cryptotech@FW1-NOSPAMGMX.DE>]

Title: AW: [FW-1] NAT and anti-spoofing

Greetings all.  I think you will find (if you are running NG, which you must be to get that to work, that you will verify your antispoof settings and NAT in global properties.)

Verify 1: Antispoof domain contains all relevant 192.168 networks

Verify 2: If this was an upgraded firewall, that you have changed the flag box to allow the NG translate on client side, otherwise the antispoof policy may not be compiled properly.

 

Cheers,

CryptoTech

----- Original Message -----

From: A.Jones@MVV.DE

To: FW-1-MAILINGLIST@beethoven.us.checkpoint.com

Sent: Monday, February 25, 2002 1:07 AM

Subject: [FW-1] AW: [FW-1] NAT and anti-spoofing

How can this be? Spoofing is about the source address, not the destination address. I think it would be helpful to see Your spoofing settings for all interfaces.

                -&

> -----Ursprüngliche Nachricht-----
> Von: Xena Warrior [mailto:xenawebwarrior@YAHOO.COM]
> Gesendet am: Samstag, 23. Februar 2002 12:52
> An: FW-1-MAILINGLIST@beethoven.us.checkpoint.com
> Betreff: Re: [FW-1] NAT and anti-spoofing
>
> I believe the problem with the first NAT rule is that
> the anti-spoofing check on the interior Interface  of
> FW on NET A is seeing the Destination Address of
> 192.168.3.1  which has not been identified as a Valid
> Address.  ( The Destination Address Translation to
> Alice's IP is the LAST thing done before sending to
> Alice).  Build a Workstation object for Ed
> (192.168.3.1) then change the Valid Addresses on NET
> A's interface to be SPECIFIC > Build a group object
> that consists of NET A and the new ED workstation
> object.
>
> Hope this helps
>
>
> --- Nico De Ranter <nico@SONYCOM.COM> wrote:
> > Howdy,
> >
> > ok, this is a tricky one :-)
> > I have a configuration which -sort of- looks like
> > this:
> >
> >             net A - 10.0.0.0
> >                     |
> >                     |
> >                 ----------
> >                 |firewall| ..... 'virtual' net D
> > 10.1.1.0
> >                 |        |
> >                 |        |--- net E 192.168.3.0
> >                 ----------
> >                     |
> >                     |
> >            net B - 192.168.1.0
> >                     |
> >                     |
> >                 ----------
> >                 | router |
> >                 ----------
> >                     |
> >                     |
> >            net C - 192.168.2.0
> >
> >
> > - net A is a world-wide WAN which does not know
> > about net B
> > or net C.  However we have a subnet D of net A which
> > we use
> > for NAT everything that needs access to net A.
> > - net C does not know about net A (router is not
> > under our control).
> >   net C does know the way to net E
> > - The anti-spoofing settings say that valid
> > addresses for net A interface
> > are 10.x.x.x
> >
> > a machine on net C (say: Charlie, 192.168.2.1) needs
> > to contact a
> > server on net A (say: Alice, 10.2.2.2). Since net C
> > does not know about
> > net A, I took an address on net E (say: Ed,
> > 192.168.3.1) and one
> > on net D known by net A (say; Dany, 10.1.1.1) and
> > created
> > a NAT rule which says:
> >
> > src: Charlie, dst: Ed,    prot: any
> >         --- translate to -->
> > src: Dany (hide), dst: Alice (static), prot:
> > original
> >
> > Anybody still following? :-)
> >
> > Now if I make a connection from Charlie to Ed
> > (hoping to end
> > op on Alice), the connection is rejected on the
> > outgoing net A
> > interface based on rule 0, meaning anti-spoofing
> > rules.
> >
> >
> > I have another rule saying
> >
> > src: net B, dst: net A, prot: any
> >        --- translate to -->
> > src: 10.1.1.2 (hide), dst: orig, prot: original
> >
> > that one works without problems.
> >
> > Any idea how I can fix the problem (except for
> > turning of anti-spoofing
> > rules which is not an option)
> >
> > thanks in advance,
> >
> > Nico
> >
> >
> >
> >
> >
> >
> >
> >
> ---------------------------------------------------------
> >  "It has been said that there are only two
> > businesses that
> >   refer to customers as users: illegal drug trade
> > and
> >                the computer industry."
> >
> ---------------------------------------------------------
> > Nico De Ranter
> > Sony Service Center (SDCE/VPE-B)
> > Sint Stevens Woluwestraat 55 (Rue de
> > Woluwe-Saint-Etienne)
> > 1130 Brussel (Bruxelles), Belgium, Europe, Earth
> > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
> > e-mail: nico.deranter@sonycom.com
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to LISTSERV@lists.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner@ts.checkpoint.com
> > =================================================
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to LISTSERV@lists.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner@ts.checkpoint.com
> =================================================
>