[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NAT problem with FW's external IP address and port selection
On Mon, 15 Apr 2002, Ilker Gokhan wrote: > Sid Van den Heede wrote: > > > I'm trying to setup a firewall on a network where I have one public IP address > > assigned. I want to have incoming http requests forwarded to an internal > > machine (private IP address). > > > > I have a rule that resembles this: > > > > Any -> firewall-public-address (http) Accept > > > > and a NAT rule like this: > > > > Any -> firewall-public-address (http) : Original -> internal-IP (Original) > > > > When I try to access the service, the firewall responds by resetting the > > connection request. The request never appears on the internal interface. > > > > What am I missing? > > May be you have an IP spoofing problem? or routing problem..Please check > both of these situation. > > Best regards, > Ilker G. The log file said it accepted the connection and translated the destination address. Tcpdump showed that the SYN packet was responded to with a RST packet on the external interface. The internal interface showed no traffic associated with this connection. I don't know what routing I could have done. Typically with NAT you add a route to redirect traffic addressed to the service's external address to its internal address, something like this: route add 123.123.123.123 192.168.210.210 Now, that will work if 123.123.123.123 is associated with 192.168.210.210 for all services. What if I want HTTP traffic to go there, but SMTP traffic to go to, say, 192.168.120.120? The NAT table suggests I can do that, but how do I route? Is that why I can't get it to work, because I'd have to route the firewall's own external address to this internal machine? Here's another observation. I managed to get a second IP address from the provider. I did the normal NAT thing for that address, but in my haste I added this second IP address as an alias address (as in "ipconfig eth0:1 ..."). That produced the same result. When I realized my mistake and shutdown eth0:1, that put it back to normal, and, of course, it worked fine. So, this would seem to suggest that you cannot route an address that appears on one of a firewall's interfaces to an internal host, and therefore you cannot have a single IP address on a firewall's external network and expect to NAT based on service to an internal host. Does this seem to be the case? Unfortunately, the documentation doesn't give any clear indication of how to do NAT where a service is selected, in terms of describing abilities and limitations. ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|