|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Did NAT handling change by version/service pack? - Revised
Woops, I have to revise my scenario: The NAT in question is source NAT, not destination NAT. The set of rules is: Rule 1: Real Destination Address --> Fake Internal box Address, Service, Accept. Rule 2: Real Internal box Address--> Real Destination Address, Service, Accept On the box with SP3/Eitherbound, a ping reply from the internal box to the destination box flies right by Rule 2 and instead gets nailed by the cleanup rule at the bottom of the rulebase. To make matters even more interesting, the log of the dropped ping reply shows that the packet's real source address is the post-NAT one, and that it's *translated source* is its real one. Change the source on rule 2 to include the Fake Internal box Address and the traffic starts moving. I'm stumped as to why it acts this way. Any ideas? -Russ > -----Original Message----- > From: Russell Washington > Sent: Friday, April 19, 2002 11:42 AM > To: '[email protected]' > Subject: Did NAT handling change by version/service pack? > > I'm trying to figure out a NAT mystery between a couple of 4.1 firewalls > and hope you guys can help me clear it up. > > The first firewall is at 4.1SP0. It applies the security policy in the > "Inbound" direction only. When doing a pair of unidirectional rules I > have to do something like the following: > > Internal box --> Fake Destination Address, Service, Accept > Real Destination Address --> Internal box, Service, Accept. > > This situation suggests that NAT is working like everyone says it should, > being performed after not only routing, but after the security policy is > applied to the packet. > > The second firewall is at 4.1SP3. It applies the security policy in the > "Eitherbound" direction. When doing a pair of unidirectional rules I have > to do something like the following: > > Internal box --> Real Destination Address, Service, Accept > Real Destination Address --> Internal box, Service, Accept. > > Note the lack of any reference whatsoever to the fake destination address. > If I try a set of rules like the one in my first firewall, traffic doesn't > get through, even though the packet going from Inside to Outside is being > sent to the Fake Desintation Address. This situation suggests that NAT is > somehow being performed before the security policy check on the inbound > interface. > > This isn't the first inconsistent NAT behavior I've noticed when comparing > the two firewalls, but it's the first one I've been able to document > clearly. Does anyone know if NAT handling was changed in SP3? > > And yes, I know they should be on SP5. That's going to happen fairly > quickly, but I'd love to figure out what this inconsistency is about, and > more importantly, what I should expect when SP5 is installed, because if > they start treating NAT the same way one of them is going to have to get > its rulebase tweaked. :) > > Thanks! ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
