[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] web server on secure lan
I don't think it's possible. Presume a ping, for example. You should (I think) get the following sequence of events. - Ping from: Internal Address X to Public Address Z; - Inbound (to FW) packet passes security policy, gets sent to OS for routing decision; - Routing tables say "packet is bound for address on external interface (whether part of subnet or not), send it to that NIC and out the door; - Outbound (from FW) packet passes security policy; - NAT is performed on destination address, so now ping looks like Internal Address X to Internal Address Y; - Packet gets shoved out of external interface with destination of Internal Address Y; - Packet gets either ignored by all devices on the external subnet (if web server public IP is on that subnet) or dropped by some upstream-to-the-Internet router, having been shoved out of the external NIC. I haven't done any sniffing to verify the above, but I think that's how it would work (or, in your case, not work for your techs). -----Original Message----- From: Richard Marshall [mailto:[email protected]] Sent: Friday, June 14, 2002 8:56 AM To: [email protected] Subject: [FW-1] web server on secure lan Hi, I'm after some advice/confirmation. I have had to setup a test environment webserver on an internal lan with a NAT to a public IP. Public access now works without problem (thanks to some pointers from this list). However, the tech guys that have requested the test env. requested that they should be able to access the public natted ip themselves. i.e. out from the lan via a hide address and back into the lan via the nat address of the webserver. I was sceptical that it was possible (and am not sure why they feel it's necessary). Having spent the day trying every combination of nat rules, static routes, etc. that I can think of I have come to the conclusion it's not possible. Am I right in thinking this, or is it possible after all? I am running fw-4.1 sp3 on nokia (it's a distributed environment, but it is only the lan behind the firewall in question that can't access the public IP address.) thanks in advance rich ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|