[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Did NAT handling change by version/service pack?
I'm trying to figure out a NAT mystery between a couple of 4.1 firewalls and hope you guys can help me clear it up. The first firewall is at 4.1SP0. It applies the security policy in the "Inbound" direction only. When doing a pair of unidirectional rules I have to do something like the following: Internal box --> Fake Destination Address, Service, Accept Real Destination Address --> Internal box, Service, Accept. This situation suggests that NAT is working like everyone says it should, being performed after not only routing, but after the security policy is applied to the packet. The second firewall is at 4.1SP3. It applies the security policy in the "Eitherbound" direction. When doing a pair of unidirectional rules I have to do something like the following: Internal box --> Real Destination Address, Service, Accept Real Destination Address --> Internal box, Service, Accept. Note the lack of any reference whatsoever to the fake destination address. If I try a set of rules like the one in my first firewall, traffic doesn't get through, even though the packet going from Inside to Outside is being sent to the Fake Desintation Address. This situation suggests that NAT is somehow being performed before the security policy check on the inbound interface. This isn't the first inconsistent NAT behavior I've noticed when comparing the two firewalls, but it's the first one I've been able to document clearly. Does anyone know if NAT handling was changed in SP3? And yes, I know they should be on SP5. That's going to happen fairly quickly, but I'd love to figure out what this inconsistency is about, and more importantly, what I should expect when SP5 is installed, because if they start treating NAT the same way one of them is going to have to get its rulebase tweaked. :) Thanks! ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|