Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] NG NAT with one valid IP doesn't work

To: [email protected]
Subject: [FW-1] NG NAT with one valid IP doesn't work
From: Jim Parker <[email protected]>
Date: Tue, 23 Apr 2002 12:12:01 +0100
References: <001a01c1ea9e$6b260270$9fa69793@WS5106>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

recap,

A question has been asked about port address translation. a subscriber has
answered this request for information by posting a link to phoneboys website
which has an faq which explains that on ng you can use network address
translation to translate the public ip of the firewall port 80 to a private
address on port 80. (the firewall in this scenario has a single public ip).

i have tested this on two versions of ng on two platforms. i had no success
on either using the following nat rule.
(note: tested on ng fp1 ipso and ng fp2 wink2

ORIG PACKET                        TRANS PACKET
any - firewall - http                    orig - web_server - orig

I did however have success using this 'single public ip bound to the
firewall external nic' scenario by using an 'http-mapped' rule as follows:
(note, this works on 4.1 sp5, ng fp1 ipso and ng fp2 win2k)

any - firewall - http-mapped - accept
any - web_server - http - accept
any - any - any - drop

Note, the 'http-mapped' match is set to
'SRV_REDIRECT(80,<web_server_ip>,80)'

For these tests i had client side nat enabled and the rule base was any
accept.

I tested another scenario: 2 public ip's. one bound to the firewall external
nic, the other i added a proxy arp entry for it in voyager. i the used
network address translation rule to port translate and ip translate. this
was successful. (as one would expect) (tested on ng fp1 ipso).

ORIG PACKET                                        TRANS PACKET
any - proxy_arp_pub_ip - http                    orig - web_server - orig
web_server - any - any                               proxy_arp_pub_ip -
rig  - orig






----- Original Message -----

Subject: Re: [FW-1] NG NAT with one valid IP doesn't work


And again :-) :

http://www.phoneboy.com/faq/0428.html

Tells it all....

Theo


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Raul
Gonzalez
Sent: Monday, April 22, 2002 4:48 PM
To: [email protected]
Subject: [FW-1] NG NAT with one valid IP doesn't work


Hi,
we have a NG FW FP1  with 3 interfaces, and a DSL Router to investigate.
Configuration it's like that :

                                                                  Web server
(192.168.2.100)
                                                                        |
                                                                        |
                                                                   DMZ Lan
(192.168.2.0)
                                                                        |
                                                                        |
                                                                        |
(192.168.2.135)
192.168.1.0 (Internal LAN) ----------------------- Firewall
NG -------------------------------------------------------- INTERNET
                                          (192.168.1.135)
(212.11.21.13 Valid adress)


I am trying make port mapping to webserver for http and telnet services
(http to web server and telnet to internal server)
using NAT, and "Perform destination traslation on the client side" is
cheked.
However, I don't get NAT inside.

Rules :

Any   Webserver         http        Accept       Log
Any   Internalserver     telnet      Accept       Log

NAT RULES :

Any     Firewall          http         Original       Webserver
Original        Gateways
Any     Firewall          telnet       Original       Internalserver
Original        Gateways

I can get login but in Firewall host, not in Internalserver (no Xlated
paquets in Log, but I can see
in log  :
61.62.63.123  (Origin)        Firewall (Destination)   telnet (Service)
5 (rule number)    Accept
61.62.63.123  (Origin)        Firewall (Destination)   http (Service)
6 (rule number)    Accept
(I don't see drop packets about this, and "Log implied rules" is checked)

WHY don't  translate???
In Global Properties is checked "Automatic rules intersection", "Perform
destination translation on the client side" and
"Automatic ARP configuration".
I have seen the Phoneboy document (http://www.phoneboy.com/faq/0428.html),
but it doesn't work.
What's wrong??

I would like to hear some advise...
Thank's in advance

Raul Gonzalez

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] NG NAT with one valid IP doesn't work
  - From: Raul Gonzalez <[email protected]>

References:
- Re: [FW-1] NG NAT with one valid IP doesn't work
  - From: Theo van den Beld <[email protected]>

Prev by Date: Re: [FW-1] Unsubscribe
Next by Date: Re: [FW-1] NG NAT with one valid IP doesn't work
Previous by thread: Re: [FW-1] NG NAT with one valid IP doesn't work
Next by thread: Re: [FW-1] NG NAT with one valid IP doesn't work
Index(es):
- Date
- Thread