NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Did NAT handling change by version/service pack?



I'm trying to figure out a NAT mystery between a couple of 4.1 firewalls and
hope you guys can help me clear it up.

The first firewall is at 4.1SP0.  It applies the security policy in the
"Inbound" direction only.  When doing a pair of unidirectional rules I have
to do something like the following:

Internal box --> Fake Destination Address, Service, Accept
Real Destination Address --> Internal box, Service, Accept.

This situation suggests that NAT is working like everyone says it should,
being performed after not only routing, but after the security policy is
applied to the packet.

The second firewall is at 4.1SP3.  It applies the security policy in the
"Eitherbound" direction.  When doing a pair of unidirectional rules I have
to do something like the following:

Internal box --> Real Destination Address, Service, Accept
Real Destination Address --> Internal box, Service, Accept.

Note the lack of any reference whatsoever to the fake destination address.
If I try a set of rules like the one in my first firewall, traffic doesn't
get through, even though the packet going from Inside to Outside is being
sent to the Fake Desintation Address.  This situation suggests that NAT is
somehow being performed before the security policy check on the inbound
interface.

This isn't the first inconsistent NAT behavior I've noticed when comparing
the two firewalls, but it's the first one I've been able to document
clearly.  Does anyone know if NAT handling was changed in SP3?

And yes, I know they should be on SP5.  That's going to happen fairly
quickly, but I'd love to figure out what this inconsistency is about, and
more importantly, what I should expect when SP5 is installed, because if
they start treating NAT the same way one of them is going to have to get its
rulebase tweaked. :)

Thanks!

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.