NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] NG NAT with one valid IP doesn't work



I agree with Jim,
link to phoneboy's doesn't work to NG.
I tested with tcp_wrappers and Netcat, modifiying /etc/services and
/etc/inetd.conf, and that's right, but NG doesn't translate anything (I don't
need any NAT rule)
 
I tested a new service "other", named telnet_mapped, with IP protocol 6
and Match definition with SRV_REDIRECT (23, telnethost, 23) and this works
fine!!!,  but I don't need this NAT rules :
 
NAT RULES :
 
Any     Firewall          http         Original       Webserver         Original        Gateways
Any     Firewall          telnet       Original       Internalserver     Original        Gateways
 
Only need this NAT rules (to get out Internet from internal Lan):
Internal_lan  Internal_lan   any   Original   Original   Original
Internal_lan  any              any   Original    Valid_IP Original
 
And the only RULE necessary is :
Negate Internal_lan     Firewall     telnet_mapped       Accept     Log
Any                           Any          Any                       Drop        Log
 
This works fine!!! I can see in Xlated destination packets when I do telnet to
external ip address  like this :
 
 
61.62.63.123  (Origin)        Firewall (Destination)   telnet (Service)     5 (rule number)    Accept           telnethost(Xlated dest.)        telnet (Xlated port)
 
I think phoneboy's document it's wrong in some things or not well explained to me.
 
Raul
 
 
 
----- Original Message -----
From: "Jim Parker" <[email protected]>
Sent: Tuesday, April 23, 2002 1:12 PM
Subject: [FW-1] NG NAT with one valid IP doesn't work

> recap,
>
> A question has been asked about port address translation. a subscriber has
> answered this request for information by posting a link to phoneboys website
> which has an faq which explains that on ng you can use network address
> translation to translate the public ip of the firewall port 80 to a private
> address on port 80. (the firewall in this scenario has a single public ip).
>
> i have tested this on two versions of ng on two platforms. i had no success
> on either using the following nat rule.
> (note: tested on ng fp1 ipso and ng fp2 wink2
>
> ORIG PACKET                        TRANS PACKET
> any - firewall - http                    orig - web_server - orig
>
> I did however have success using this 'single public ip bound to the
> firewall external nic' scenario by using an 'http-mapped' rule as follows:
> (note, this works on 4.1 sp5, ng fp1 ipso and ng fp2 win2k)
>
> any - firewall - http-mapped - accept
> any - web_server - http - accept
> any - any - any - drop
>
> Note, the 'http-mapped' match is set to
> 'SRV_REDIRECT(80,<web_server_ip>,80)'
>
> For these tests i had client side nat enabled and the rule base was any
> accept.
>
> I tested another scenario: 2 public ip's. one bound to the firewall external
> nic, the other i added a proxy arp entry for it in voyager. i the used
> network address translation rule to port translate and ip translate. this
> was successful. (as one would expect) (tested on ng fp1 ipso).
>
> ORIG PACKET                                        TRANS PACKET
> any - proxy_arp_pub_ip - http                    orig - web_server - orig
> web_server - any - any                               proxy_arp_pub_ip -
> rig  - orig
>
>
>
>
>
>
> ----- Original Message -----
>
> Subject: Re: [FW-1] NG NAT with one valid IP doesn't work
>
>
> And again :-) :
>
>
http://www.phoneboy.com/faq/0428.html
>
> Tells it all....
>
> Theo
>
>
>


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.