[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NG NAT with one valid IP doesn't work
I agree with Jim,
link to phoneboy's doesn't work to NG.
I tested with tcp_wrappers and Netcat, modifiying
/etc/services and
/etc/inetd.conf, and that's right, but NG doesn't
translate anything (I don't
need any NAT rule)
I tested a new service "other", named
telnet_mapped, with IP protocol 6
and Match definition with SRV_REDIRECT (23,
telnethost, 23) and this works
fine!!!, but I don't
need this NAT rules :
NAT RULES
:
Any Firewall http Original Webserver Original Gateways Any Firewall telnet Original Internalserver Original Gateways Only need this NAT rules (to get out
Internet from internal Lan):
Internal_lan Internal_lan
any Original Original Original
Internal_lan
any
any Original Valid_IP Original
And the only RULE necessary is
:
Negate Internal_lan
Firewall
telnet_mapped Accept
Log
Any
Any
Any
Drop Log
This works fine!!! I can see in Xlated destination
packets when I do telnet to
external ip address like this
:
61.62.63.123 (Origin)
Firewall (Destination) telnet (Service) 5
(rule number)
Accept
telnethost(Xlated dest.) telnet
(Xlated port)
I think phoneboy's document it's wrong in some
things or not well explained to me.
Raul
----- Original Message -----
From: "Jim Parker" <[email protected]>
To: <[email protected]>
Sent: Tuesday, April 23, 2002 1:12 PM
Subject: [FW-1] NG NAT with one valid IP doesn't
work > > A question has been asked about port address translation. a subscriber has > answered this request for information by posting a link to phoneboys website > which has an faq which explains that on ng you can use network address > translation to translate the public ip of the firewall port 80 to a private > address on port 80. (the firewall in this scenario has a single public ip). > > i have tested this on two versions of ng on two platforms. i had no success > on either using the following nat rule. > (note: tested on ng fp1 ipso and ng fp2 wink2 > > ORIG PACKET TRANS PACKET > any - firewall - http orig - web_server - orig > > I did however have success using this 'single public ip bound to the > firewall external nic' scenario by using an 'http-mapped' rule as follows: > (note, this works on 4.1 sp5, ng fp1 ipso and ng fp2 win2k) > > any - firewall - http-mapped - accept > any - web_server - http - accept > any - any - any - drop > > Note, the 'http-mapped' match is set to > 'SRV_REDIRECT(80,<web_server_ip>,80)' > > For these tests i had client side nat enabled and the rule base was any > accept. > > I tested another scenario: 2 public ip's. one bound to the firewall external > nic, the other i added a proxy arp entry for it in voyager. i the used > network address translation rule to port translate and ip translate. this > was successful. (as one would expect) (tested on ng fp1 ipso). > > ORIG PACKET TRANS PACKET > any - proxy_arp_pub_ip - http orig - web_server - orig > web_server - any - any proxy_arp_pub_ip - > rig - orig > > > > > > > ----- Original Message ----- > > Subject: Re: [FW-1] NG NAT with one valid IP doesn't work > > > And again :-) : > > http://www.phoneboy.com/faq/0428.html > > Tells it all.... > > Theo > > >
|