NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] NAT and Security



You should Create an object with Invalid IP address, and setup Static NAT on
the object with your Valid IP address.
If the Firewall is 4.0 or 4.1 , you need to mess with Local arp file under
State directory of the Firewall and add a route on that firewall too ( with
NG you don't need to do this)
I hope this was the answer you were looking for.

Sam

-----Original Message-----
From: Russell Washington [mailto:[email protected]]
Sent: Wednesday, April 17, 2002 10:36 AM
To: [email protected]
Subject: Re: [FW-1] NAT and Security

I vote for (A), because that's what the packet is going to look like on its
way in, and if you're checking is being done Inbound or Eitherbound it's
going to have to get through the security policy before the address is
translated.  Also, according to the folks in the know NAT doesn't get done
until *all* checking against the security policy is finished, so by the time
the destination address has been swapped from 200.x to 192.168.x the
rulebase is irrelevant.

BUT...

In laying my hands on a few 4.x Checkpoint firewalls I've honestly seen some
boxes that require (B) and don't care about (A).  At the same time, others
have required (A) and don't care about (B).  I don't claim to have an
explanation because this variance defies any notion of common sense.  But
the firewall wants what it wants, so at this point I've conceded that the
bottom line is "whatever works."

-Russ
-----Original Message-----
From: Joao Coimbra [mailto:[email protected]]
Sent: Friday, April 12, 2002 3:12 AM
To: [email protected]
Subject: [FW-1] NAT and Security


Dear All,
I have one question about translation address and security.
If I have the following situation:
webserver_int - 192.168.10.10
webserver_ext - 200.200.201.12 (www.ez.com)
I have created the NAT for those address, and I will have to configure the
security.
At the security tab must I configure wich way, A or B:
A)
source: any
Destination: 200.200.201.12 (external)
Service: http
Action: Accept
Or
B)
source: any
Destination: 192.168.10.10 (internal)
Service: http
Action: Accept
Is necessary to create a rule with the internal, external or both address?
Thanks a lot!!!
Best Regards for all.



João Coimbra --> Gestão Técnica - MCSE / ASE
--> [email protected]
----------------------------------------------------------------------------
---
Fone: +55 11 3365-0305 - Fax: +55 11 3365-0319
----------------------------------------------------------------------------
---
EZTrade --> Transformamos seu business em e-business
--> www.eztrade.com.br

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.