NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] AW: [FW-1] NAT and anti-spoofing

It was originaly a 4.1. After upgrading to NG this weekend it
magicaly started working.  Must be a 4.1 bug :-)

Nico

On Mon, Feb 25, 2002 at 08:29:05AM -0500, Cryptotech wrote:
> AW: [FW-1] NAT and anti-spoofingGreetings all.  I think you will find (if you are running NG, which you must be to get that to work, that you will verify your antispoof settings and NAT in global properties.)
> Verify 1: Antispoof domain contains all relevant 192.168 networks
> Verify 2: If this was an upgraded firewall, that you have changed the flag box to allow the NG translate on client side, otherwise the antispoof policy may not be compiled properly.
>
> Cheers,
> CryptoTech
>   ----- Original Message -----
>   From: [email protected]
>   To: [email protected]
>   Sent: Monday, February 25, 2002 1:07 AM
>   Subject: [FW-1] AW: [FW-1] NAT and anti-spoofing
>
>
>   How can this be? Spoofing is about the source address, not the destination address. I think it would be helpful to see Your spoofing settings for all interfaces.
>
>                   -&
>
>
>
>   > -----Ursprüngliche Nachricht-----
>   > Von: Xena Warrior [mailto:[email protected]]
>   > Gesendet am: Samstag, 23. Februar 2002 12:52
>   > An: [email protected]
>   > Betreff: Re: [FW-1] NAT and anti-spoofing
>   >
>   > I believe the problem with the first NAT rule is that
>   > the anti-spoofing check on the interior Interface  of
>   > FW on NET A is seeing the Destination Address of
>   > 192.168.3.1  which has not been identified as a Valid
>   > Address.  ( The Destination Address Translation to
>   > Alice's IP is the LAST thing done before sending to
>   > Alice).  Build a Workstation object for Ed
>   > (192.168.3.1) then change the Valid Addresses on NET
>   > A's interface to be SPECIFIC > Build a group object
>   > that consists of NET A and the new ED workstation
>   > object.
>   >
>   > Hope this helps
>   >
>   >
>   > --- Nico De Ranter <[email protected]> wrote:
>   > > Howdy,
>   > >
>   > > ok, this is a tricky one :-)
>   > > I have a configuration which -sort of- looks like
>   > > this:
>   > >
>   > >             net A - 10.0.0.0
>   > >                     |
>   > >                     |
>   > >                 ----------
>   > >                 |firewall| ..... 'virtual' net D
>   > > 10.1.1.0
>   > >                 |        |
>   > >                 |        |--- net E 192.168.3.0
>   > >                 ----------
>   > >                     |
>   > >                     |
>   > >            net B - 192.168.1.0
>   > >                     |
>   > >                     |
>   > >                 ----------
>   > >                 | router |
>   > >                 ----------
>   > >                     |
>   > >                     |
>   > >            net C - 192.168.2.0
>   > >
>   > >
>   > > - net A is a world-wide WAN which does not know
>   > > about net B
>   > > or net C.  However we have a subnet D of net A which
>   > > we use
>   > > for NAT everything that needs access to net A.
>   > > - net C does not know about net A (router is not
>   > > under our control).
>   > >   net C does know the way to net E
>   > > - The anti-spoofing settings say that valid
>   > > addresses for net A interface
>   > > are 10.x.x.x
>   > >
>   > > a machine on net C (say: Charlie, 192.168.2.1) needs
>   > > to contact a
>   > > server on net A (say: Alice, 10.2.2.2). Since net C
>   > > does not know about
>   > > net A, I took an address on net E (say: Ed,
>   > > 192.168.3.1) and one
>   > > on net D known by net A (say; Dany, 10.1.1.1) and
>   > > created
>   > > a NAT rule which says:
>   > >
>   > > src: Charlie, dst: Ed,    prot: any
>   > >         --- translate to -->
>   > > src: Dany (hide), dst: Alice (static), prot:
>   > > original
>   > >
>   > > Anybody still following? :-)
>   > >
>   > > Now if I make a connection from Charlie to Ed
>   > > (hoping to end
>   > > op on Alice), the connection is rejected on the
>   > > outgoing net A
>   > > interface based on rule 0, meaning anti-spoofing
>   > > rules.
>   > >
>   > >
>   > > I have another rule saying
>   > >
>   > > src: net B, dst: net A, prot: any
>   > >        --- translate to -->
>   > > src: 10.1.1.2 (hide), dst: orig, prot: original
>   > >
>   > > that one works without problems.
>   > >
>   > > Any idea how I can fix the problem (except for
>   > > turning of anti-spoofing
>   > > rules which is not an option)
>   > >
>   > > thanks in advance,
>   > >
>   > > Nico
>   > >
>   > >
>   > >
>   > >
>   > >
>   > >
>   > >
>   > >
>   > ---------------------------------------------------------
>   > >  "It has been said that there are only two
>   > > businesses that
>   > >   refer to customers as users: illegal drug trade
>   > > and
>   > >                the computer industry."
>   > >
>   > ---------------------------------------------------------
>   > > Nico De Ranter
>   > > Sony Service Center (SDCE/VPE-B)
>   > > Sint Stevens Woluwestraat 55 (Rue de
>   > > Woluwe-Saint-Etienne)
>   > > 1130 Brussel (Bruxelles), Belgium, Europe, Earth
>   > > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
>   > > e-mail: [email protected]
>   > >
>   > > =================================================
>   > > To set vacation, Out Of Office, or away messages,
>   > > send an email to [email protected]
>   > > in the BODY of the email add:
>   > > set fw-1-mailinglist nomail
>   > > =================================================
>   > > To unsubscribe from this mailing list,
>   > > please see the instructions at
>   > > http://www.checkpoint.com/services/mailing.html
>   > > =================================================
>   > > If you have any questions on how to change your
>   > > subscription options, email
>   > > [email protected]
>   > > =================================================
>   >
>   >
>   > __________________________________________________
>   > Do You Yahoo!?
>   > Yahoo! Sports - Coverage of the 2002 Olympic Games
>   > http://sports.yahoo.com
>   >
>   > =================================================
>   > To set vacation, Out Of Office, or away messages,
>   > send an email to [email protected]
>   > in the BODY of the email add:
>   > set fw-1-mailinglist nomail
>   > =================================================
>   > To unsubscribe from this mailing list,
>   > please see the instructions at
>   > http://www.checkpoint.com/services/mailing.html
>   > =================================================
>   > If you have any questions on how to change your
>   > subscription options, email
>   > [email protected]
>   > =================================================
>   >
>
---------------------------------------------------------
 "It has been said that there are only two businesses that
  refer to customers as users: illegal drug trade and
               the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.