[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NAT and Security
You should Create an object with Invalid IP address, and setup Static NAT on the object with your Valid IP address. If the Firewall is 4.0 or 4.1 , you need to mess with Local arp file under State directory of the Firewall and add a route on that firewall too ( with NG you don't need to do this) I hope this was the answer you were looking for. Sam -----Original Message----- From: Russell Washington [mailto:[email protected]] Sent: Wednesday, April 17, 2002 10:36 AM To: [email protected] Subject: Re: [FW-1] NAT and Security I vote for (A), because that's what the packet is going to look like on its way in, and if you're checking is being done Inbound or Eitherbound it's going to have to get through the security policy before the address is translated. Also, according to the folks in the know NAT doesn't get done until *all* checking against the security policy is finished, so by the time the destination address has been swapped from 200.x to 192.168.x the rulebase is irrelevant. BUT... In laying my hands on a few 4.x Checkpoint firewalls I've honestly seen some boxes that require (B) and don't care about (A). At the same time, others have required (A) and don't care about (B). I don't claim to have an explanation because this variance defies any notion of common sense. But the firewall wants what it wants, so at this point I've conceded that the bottom line is "whatever works." -Russ -----Original Message----- From: Joao Coimbra [mailto:[email protected]] Sent: Friday, April 12, 2002 3:12 AM To: [email protected] Subject: [FW-1] NAT and Security Dear All, I have one question about translation address and security. If I have the following situation: webserver_int - 192.168.10.10 webserver_ext - 200.200.201.12 (www.ez.com) I have created the NAT for those address, and I will have to configure the security. At the security tab must I configure wich way, A or B: A) source: any Destination: 200.200.201.12 (external) Service: http Action: Accept Or B) source: any Destination: 192.168.10.10 (internal) Service: http Action: Accept Is necessary to create a rule with the internal, external or both address? Thanks a lot!!! Best Regards for all. João Coimbra --> Gestão Técnica - MCSE / ASE --> [email protected] ---------------------------------------------------------------------------- --- Fone: +55 11 3365-0305 - Fax: +55 11 3365-0319 ---------------------------------------------------------------------------- --- EZTrade --> Transformamos seu business em e-business --> www.eztrade.com.br ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|