|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] web server on secure lan
Actually, you can do this....the router outside the firewall will "turn it around". I.e., the internally addressed packet leaves the firewall, is translated, seeks the static NAT'd address (even in the same subnet) and the next hop outside the firewall, the screening or boundry router tells it-- hey, go back the way you came for that address. It is turned around, and enters the firewall, etc, etc. The only caviat is that this is a very slow process, and some services may on occasion time out. We used to do this with 130 internal pop/smtp mail servers, belonging to different internal entities, all NAT'd to the outside world. However, when they communicated with each other, they did the MX lookup on the DNS, and tried to go out to the internet and thus were turned around. Fortunately, we came to our senses, and implemented a "split-brain" DNS which resolved the internal servers to internal addresses. Much more reliable. Bob -----Original Message----- From: Hal Dorsman [mailto:[email protected]] Sent: Friday, June 14, 2002 3:33 PM To: [email protected] Subject: Re: [FW-1] web server on secure lan If you want to route back into the same interface you came out of you can't do it. You can route from a hide Nat'ed LAN to a legal IP which is statically routed to in internal host in a separate DMZ on a difference interface. Hal > -----Original Message----- > From: Russell Washington [mailto:[email protected]] > Sent: Friday, June 14, 2002 12:16 PM > To: [email protected] > Subject: Re: [FW-1] web server on secure lan > > > I don't think it's possible. Presume a ping, for example. > You should (I > think) get the following sequence of events. > > - Ping from: Internal Address X to Public Address Z; > > - Inbound (to FW) packet passes security policy, gets sent to > OS for routing > decision; > > - Routing tables say "packet is bound for address on external > interface > (whether part of subnet or not), send it to that NIC and out the door; > > - Outbound (from FW) packet passes security policy; > > - NAT is performed on destination address, so now ping looks > like Internal > Address X to Internal Address Y; > > - Packet gets shoved out of external interface with > destination of Internal > Address Y; > > - Packet gets either ignored by all devices on the external > subnet (if web > server public IP is on that subnet) or dropped by some > upstream-to-the-Internet router, having been shoved out of > the external NIC. > > I haven't done any sniffing to verify the above, but I think > that's how it > would work (or, in your case, not work for your techs). > > -----Original Message----- > From: Richard Marshall [mailto:[email protected]] > Sent: Friday, June 14, 2002 8:56 AM > To: [email protected] > Subject: [FW-1] web server on secure lan > > > Hi, > > I'm after some advice/confirmation. > > I have had to setup a test environment webserver on an > internal lan with a > NAT to a public IP. Public access now works without problem > (thanks to some > pointers from this list). > > However, the tech guys that have requested the test env. > requested that they > should be able to access the public natted ip themselves. > i.e. out from the > lan via a hide address and back into the lan via the nat > address of the > webserver. I was sceptical that it was possible (and am not > sure why they > feel it's necessary). Having spent the day trying every > combination of nat > rules, static routes, etc. that I can think of I have come to > the conclusion > it's not possible. > > Am I right in thinking this, or is it possible after all? > > I am running fw-4.1 sp3 on nokia (it's a distributed > environment, but it is > only the lan behind the firewall in question that can't > access the public IP > address.) > > thanks in advance > > rich > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
