Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] NAT problem with FW's external IP address and port selection

To: [email protected]
Subject: Re: [FW-1] NAT problem with FW's external IP address and port selection
From: Eduardo Eirós <[email protected]>
Date: Mon, 15 Apr 2002 17:13:59 +0200
In-reply-to: <[email protected]>
Organization: NEXTEL
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Estimado Sid,

Con fecha lunes, 15 de abril de 2002, 16:25:45, escribió:

SVdH> On Mon, 15 Apr 2002, Ilker Gokhan wrote:

>> Sid Van den Heede wrote:
>>
>> > I'm trying to setup a firewall on a network where I have one public IP address
>> > assigned.  I want to have incoming http requests forwarded to an internal
>> > machine (private IP address).
>> >
>> > I have a rule that resembles this:
>> >
>> > Any -> firewall-public-address (http) Accept
>> >
>> > and a NAT rule like this:
>> >
>> > Any -> firewall-public-address (http) : Original -> internal-IP (Original)
>> >
>> > When I try to access the service, the firewall responds by resetting the
>> > connection request.  The request never appears on the internal interface.
>> >
>> > What am I missing?
>>
>> May be you have an IP spoofing problem? or routing problem..Please check
>>   both of these situation.
>>
>> Best regards,
>> Ilker G.

SVdH> The log file said it accepted the connection and translated the destination
SVdH> address.

SVdH> Tcpdump showed that the SYN packet was responded to with a RST packet on the
SVdH> external interface.  The internal interface showed no traffic associated with
SVdH> this connection.

SVdH> I don't know what routing I could have done.  Typically with NAT you add a
SVdH> route to redirect traffic addressed to the service's external address to its
SVdH> internal address, something like this:

SVdH>    route add 123.123.123.123 192.168.210.210

SVdH> Now, that will work if 123.123.123.123 is associated with 192.168.210.210 for
SVdH> all services.  What if I want HTTP traffic to go there, but SMTP traffic to go
SVdH> to, say, 192.168.120.120?  The NAT table suggests I can do that, but how do I
SVdH> route?

SVdH> Is that why I can't get it to work, because I'd have to route the firewall's
SVdH> own external address to this internal machine?

SVdH> Here's another observation.  I managed to get a second IP address from the
SVdH> provider.  I did the normal NAT thing for that address, but in my haste I added
SVdH> this second IP address as an alias address (as in "ipconfig eth0:1 ...").  That
SVdH> produced the same result.  When I realized my mistake and shutdown eth0:1, that
SVdH> put it back to normal, and, of course, it worked fine.

SVdH> So, this would seem to suggest that you cannot route an address that appears on
SVdH> one of a firewall's interfaces to an internal host, and therefore you cannot
SVdH> have a single IP address on a firewall's external network and expect to NAT
SVdH> based on service to an internal host.

SVdH> Does this seem to be the case?  Unfortunately, the documentation doesn't give
SVdH> any clear indication of how to do NAT where a service is selected, in terms of
SVdH> describing abilities and limitations.

SVdH> =================================================
SVdH> To set vacation, Out Of Office, or away messages,
SVdH> send an email to [email protected]
SVdH> in the BODY of the email add:
SVdH> set fw-1-mailinglist nomail
SVdH> =================================================
SVdH> To unsubscribe from this mailing list,
SVdH> please see the instructions at
SVdH> http://www.checkpoint.com/services/mailing.html
SVdH> =================================================
SVdH> If you have any questions on how to change your
SVdH> subscription options, email
SVdH> [email protected]
SVdH> =================================================

--
Hi,

take a good look at this http://www.phoneboy.com/faq/0428.html

 Eduardo

  Eduardo Eirós Valle                        mailto:[email protected]

  Nextel S.A. Ingeniería Telemática

  Tlf: +34 944035555  Fax: +34 944035550

  Parque Tecnológico Edif. 207, Bloque B, 1º

  48170- Zamudio (Bizkaia)

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] NAT problem with FW's external IP address and portselection
  - From: Patrick Lotti <[email protected]>

References:
- Re: [FW-1] NAT problem with FW's external IP address and port selection
  - From: Sid Van den Heede <[email protected]>

Prev by Date: [FW-1] Invalid Http response
Next by Date: [FW-1] Error-Server failed
Previous by thread: Re: [FW-1] NAT problem with FW's external IP address and port selection
Next by thread: Re: [FW-1] NAT problem with FW's external IP address and portselection
Index(es):
- Date
- Thread