Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] web server on secure lan

To: [email protected]
Subject: Re: [FW-1] web server on secure lan
From: Russell Washington <[email protected]>
Date: Fri, 14 Jun 2002 11:15:42 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

I don't think it's possible.  Presume a ping, for example.  You should (I
think) get the following sequence of events.

- Ping from: Internal Address X to Public Address Z;

- Inbound (to FW) packet passes security policy, gets sent to OS for routing
decision;

- Routing tables say "packet is bound for address on external interface
(whether part of subnet or not), send it to that NIC and out the door;

- Outbound (from FW) packet passes security policy;

- NAT is performed on destination address, so now ping looks like Internal
Address X to Internal Address Y;

- Packet gets shoved out of external interface with destination of Internal
Address Y;

- Packet gets either ignored by all devices on the external subnet (if web
server public IP is on that subnet) or dropped by some
upstream-to-the-Internet router, having been shoved out of the external NIC.

I haven't done any sniffing to verify the above, but I think that's how it
would work (or, in your case, not work for your techs).

-----Original Message-----
From: Richard Marshall [mailto:[email protected]]
Sent: Friday, June 14, 2002 8:56 AM
To: [email protected]
Subject: [FW-1] web server on secure lan


Hi,

I'm after some advice/confirmation.

I have had to setup a test environment webserver on an internal lan with a
NAT to a public IP. Public access now works without problem (thanks to some
pointers from this list).

However, the tech guys that have requested the test env. requested that they
should be able to access the public natted ip themselves. i.e. out from the
lan via a hide address and back into the lan via the nat address of the
webserver. I was sceptical that it was possible (and am not sure why they
feel it's necessary). Having spent the day trying every combination of nat
rules, static routes, etc. that I can think of I have come to the conclusion
it's not possible.

Am I right in thinking this, or is it possible after all?

I am running fw-4.1 sp3 on nokia (it's a distributed environment, but it is
only the lan behind the firewall in question that can't access the public IP
address.)

thanks in advance

rich

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Next by Date: Re: [FW-1] desktop control. Was: Instant Messenger bypass FW-1
Previous by thread: [FW-1] Problems informing the FW-1 driver
Next by thread: Re: [FW-1] web server on secure lan
Index(es):
- Date
- Thread