[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] NG NAT with one valid IP doesn't work
recap, A question has been asked about port address translation. a subscriber has answered this request for information by posting a link to phoneboys website which has an faq which explains that on ng you can use network address translation to translate the public ip of the firewall port 80 to a private address on port 80. (the firewall in this scenario has a single public ip). i have tested this on two versions of ng on two platforms. i had no success on either using the following nat rule. (note: tested on ng fp1 ipso and ng fp2 wink2 ORIG PACKET TRANS PACKET any - firewall - http orig - web_server - orig I did however have success using this 'single public ip bound to the firewall external nic' scenario by using an 'http-mapped' rule as follows: (note, this works on 4.1 sp5, ng fp1 ipso and ng fp2 win2k) any - firewall - http-mapped - accept any - web_server - http - accept any - any - any - drop Note, the 'http-mapped' match is set to 'SRV_REDIRECT(80,<web_server_ip>,80)' For these tests i had client side nat enabled and the rule base was any accept. I tested another scenario: 2 public ip's. one bound to the firewall external nic, the other i added a proxy arp entry for it in voyager. i the used network address translation rule to port translate and ip translate. this was successful. (as one would expect) (tested on ng fp1 ipso). ORIG PACKET TRANS PACKET any - proxy_arp_pub_ip - http orig - web_server - orig web_server - any - any proxy_arp_pub_ip - rig - orig ----- Original Message ----- Subject: Re: [FW-1] NG NAT with one valid IP doesn't work And again :-) : http://www.phoneboy.com/faq/0428.html Tells it all.... Theo -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Raul Gonzalez Sent: Monday, April 22, 2002 4:48 PM To: [email protected] Subject: [FW-1] NG NAT with one valid IP doesn't work Hi, we have a NG FW FP1 with 3 interfaces, and a DSL Router to investigate. Configuration it's like that : Web server (192.168.2.100) | | DMZ Lan (192.168.2.0) | | | (192.168.2.135) 192.168.1.0 (Internal LAN) ----------------------- Firewall NG -------------------------------------------------------- INTERNET (192.168.1.135) (212.11.21.13 Valid adress) I am trying make port mapping to webserver for http and telnet services (http to web server and telnet to internal server) using NAT, and "Perform destination traslation on the client side" is cheked. However, I don't get NAT inside. Rules : Any Webserver http Accept Log Any Internalserver telnet Accept Log NAT RULES : Any Firewall http Original Webserver Original Gateways Any Firewall telnet Original Internalserver Original Gateways I can get login but in Firewall host, not in Internalserver (no Xlated paquets in Log, but I can see in log : 61.62.63.123 (Origin) Firewall (Destination) telnet (Service) 5 (rule number) Accept 61.62.63.123 (Origin) Firewall (Destination) http (Service) 6 (rule number) Accept (I don't see drop packets about this, and "Log implied rules" is checked) WHY don't translate??? In Global Properties is checked "Automatic rules intersection", "Perform destination translation on the client side" and "Automatic ARP configuration". I have seen the Phoneboy document (http://www.phoneboy.com/faq/0428.html), but it doesn't work. What's wrong?? I would like to hear some advise... Thank's in advance Raul Gonzalez ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|