[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] AW: [FW-1] NAT and anti-spoofing
It was originaly a 4.1. After upgrading to NG this weekend it magicaly started working. Must be a 4.1 bug :-) Nico On Mon, Feb 25, 2002 at 08:29:05AM -0500, Cryptotech wrote: > AW: [FW-1] NAT and anti-spoofingGreetings all. I think you will find (if you are running NG, which you must be to get that to work, that you will verify your antispoof settings and NAT in global properties.) > Verify 1: Antispoof domain contains all relevant 192.168 networks > Verify 2: If this was an upgraded firewall, that you have changed the flag box to allow the NG translate on client side, otherwise the antispoof policy may not be compiled properly. > > Cheers, > CryptoTech > ----- Original Message ----- > From: [email protected] > To: [email protected] > Sent: Monday, February 25, 2002 1:07 AM > Subject: [FW-1] AW: [FW-1] NAT and anti-spoofing > > > How can this be? Spoofing is about the source address, not the destination address. I think it would be helpful to see Your spoofing settings for all interfaces. > > -& > > > > > -----Ursprüngliche Nachricht----- > > Von: Xena Warrior [mailto:[email protected]] > > Gesendet am: Samstag, 23. Februar 2002 12:52 > > An: [email protected] > > Betreff: Re: [FW-1] NAT and anti-spoofing > > > > I believe the problem with the first NAT rule is that > > the anti-spoofing check on the interior Interface of > > FW on NET A is seeing the Destination Address of > > 192.168.3.1 which has not been identified as a Valid > > Address. ( The Destination Address Translation to > > Alice's IP is the LAST thing done before sending to > > Alice). Build a Workstation object for Ed > > (192.168.3.1) then change the Valid Addresses on NET > > A's interface to be SPECIFIC > Build a group object > > that consists of NET A and the new ED workstation > > object. > > > > Hope this helps > > > > > > --- Nico De Ranter <[email protected]> wrote: > > > Howdy, > > > > > > ok, this is a tricky one :-) > > > I have a configuration which -sort of- looks like > > > this: > > > > > > net A - 10.0.0.0 > > > | > > > | > > > ---------- > > > |firewall| ..... 'virtual' net D > > > 10.1.1.0 > > > | | > > > | |--- net E 192.168.3.0 > > > ---------- > > > | > > > | > > > net B - 192.168.1.0 > > > | > > > | > > > ---------- > > > | router | > > > ---------- > > > | > > > | > > > net C - 192.168.2.0 > > > > > > > > > - net A is a world-wide WAN which does not know > > > about net B > > > or net C. However we have a subnet D of net A which > > > we use > > > for NAT everything that needs access to net A. > > > - net C does not know about net A (router is not > > > under our control). > > > net C does know the way to net E > > > - The anti-spoofing settings say that valid > > > addresses for net A interface > > > are 10.x.x.x > > > > > > a machine on net C (say: Charlie, 192.168.2.1) needs > > > to contact a > > > server on net A (say: Alice, 10.2.2.2). Since net C > > > does not know about > > > net A, I took an address on net E (say: Ed, > > > 192.168.3.1) and one > > > on net D known by net A (say; Dany, 10.1.1.1) and > > > created > > > a NAT rule which says: > > > > > > src: Charlie, dst: Ed, prot: any > > > --- translate to --> > > > src: Dany (hide), dst: Alice (static), prot: > > > original > > > > > > Anybody still following? :-) > > > > > > Now if I make a connection from Charlie to Ed > > > (hoping to end > > > op on Alice), the connection is rejected on the > > > outgoing net A > > > interface based on rule 0, meaning anti-spoofing > > > rules. > > > > > > > > > I have another rule saying > > > > > > src: net B, dst: net A, prot: any > > > --- translate to --> > > > src: 10.1.1.2 (hide), dst: orig, prot: original > > > > > > that one works without problems. > > > > > > Any idea how I can fix the problem (except for > > > turning of anti-spoofing > > > rules which is not an option) > > > > > > thanks in advance, > > > > > > Nico > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------- > > > "It has been said that there are only two > > > businesses that > > > refer to customers as users: illegal drug trade > > > and > > > the computer industry." > > > > > --------------------------------------------------------- > > > Nico De Ranter > > > Sony Service Center (SDCE/VPE-B) > > > Sint Stevens Woluwestraat 55 (Rue de > > > Woluwe-Saint-Etienne) > > > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > > > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > > > e-mail: [email protected] > > > > > > ================================================= > > > To set vacation, Out Of Office, or away messages, > > > send an email to [email protected] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [email protected] > > > ================================================= > > > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Sports - Coverage of the 2002 Olympic Games > > http://sports.yahoo.com > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|