[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NAT problem with FW's external IP address and port selection
Estimado Sid, Con fecha lunes, 15 de abril de 2002, 16:25:45, escribió: SVdH> On Mon, 15 Apr 2002, Ilker Gokhan wrote: >> Sid Van den Heede wrote: >> >> > I'm trying to setup a firewall on a network where I have one public IP address >> > assigned. I want to have incoming http requests forwarded to an internal >> > machine (private IP address). >> > >> > I have a rule that resembles this: >> > >> > Any -> firewall-public-address (http) Accept >> > >> > and a NAT rule like this: >> > >> > Any -> firewall-public-address (http) : Original -> internal-IP (Original) >> > >> > When I try to access the service, the firewall responds by resetting the >> > connection request. The request never appears on the internal interface. >> > >> > What am I missing? >> >> May be you have an IP spoofing problem? or routing problem..Please check >> both of these situation. >> >> Best regards, >> Ilker G. SVdH> The log file said it accepted the connection and translated the destination SVdH> address. SVdH> Tcpdump showed that the SYN packet was responded to with a RST packet on the SVdH> external interface. The internal interface showed no traffic associated with SVdH> this connection. SVdH> I don't know what routing I could have done. Typically with NAT you add a SVdH> route to redirect traffic addressed to the service's external address to its SVdH> internal address, something like this: SVdH> route add 123.123.123.123 192.168.210.210 SVdH> Now, that will work if 123.123.123.123 is associated with 192.168.210.210 for SVdH> all services. What if I want HTTP traffic to go there, but SMTP traffic to go SVdH> to, say, 192.168.120.120? The NAT table suggests I can do that, but how do I SVdH> route? SVdH> Is that why I can't get it to work, because I'd have to route the firewall's SVdH> own external address to this internal machine? SVdH> Here's another observation. I managed to get a second IP address from the SVdH> provider. I did the normal NAT thing for that address, but in my haste I added SVdH> this second IP address as an alias address (as in "ipconfig eth0:1 ..."). That SVdH> produced the same result. When I realized my mistake and shutdown eth0:1, that SVdH> put it back to normal, and, of course, it worked fine. SVdH> So, this would seem to suggest that you cannot route an address that appears on SVdH> one of a firewall's interfaces to an internal host, and therefore you cannot SVdH> have a single IP address on a firewall's external network and expect to NAT SVdH> based on service to an internal host. SVdH> Does this seem to be the case? Unfortunately, the documentation doesn't give SVdH> any clear indication of how to do NAT where a service is selected, in terms of SVdH> describing abilities and limitations. SVdH> ================================================= SVdH> To set vacation, Out Of Office, or away messages, SVdH> send an email to [email protected] SVdH> in the BODY of the email add: SVdH> set fw-1-mailinglist nomail SVdH> ================================================= SVdH> To unsubscribe from this mailing list, SVdH> please see the instructions at SVdH> http://www.checkpoint.com/services/mailing.html SVdH> ================================================= SVdH> If you have any questions on how to change your SVdH> subscription options, email SVdH> [email protected] SVdH> ================================================= -- Hi, take a good look at this http://www.phoneboy.com/faq/0428.html Eduardo Eduardo Eirós Valle mailto:[email protected] Nextel S.A. Ingeniería Telemática Tlf: +34 944035555 Fax: +34 944035550 Parque Tecnológico Edif. 207, Bloque B, 1º 48170- Zamudio (Bizkaia) ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|