[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] web server on secure lan
Bob, I can see that approach working. My thinking was that usually a boundary router wouldn't have routes directing private-net traffic back into the FW, because ideally things outside of the FW shouldn't be talking to the private net addresses anyway (not without a VPN at least). But if there are routes on the boundary box that redirect this traffic, yes, that makes sense. But... Hm. Hang on. That would mean that there would need to be a rule on the FW that says something like: Internal Address Pool --> Private IP of web server, Any, Allow. And with that kind of rule at the FW, you risk spoofing or maybe even invalidate any spoof checking the FW is doing, no? -----Original Message----- From: Bob Buel [mailto:[email protected]] Sent: Friday, June 14, 2002 4:06 PM To: [email protected] Subject: Re: [FW-1] web server on secure lan Actually, you can do this....the router outside the firewall will "turn it around". I.e., the internally addressed packet leaves the firewall, is translated, seeks the static NAT'd address (even in the same subnet) and the next hop outside the firewall, the screening or boundry router tells it-- hey, go back the way you came for that address. It is turned around, and enters the firewall, etc, etc. The only caviat is that this is a very slow process, and some services may on occasion time out. We used to do this with 130 internal pop/smtp mail servers, belonging to different internal entities, all NAT'd to the outside world. However, when they communicated with each other, they did the MX lookup on the DNS, and tried to go out to the internet and thus were turned around. Fortunately, we came to our senses, and implemented a "split-brain" DNS which resolved the internal servers to internal addresses. Much more reliable. Bob -----Original Message----- From: Hal Dorsman [mailto:[email protected]] Sent: Friday, June 14, 2002 3:33 PM To: [email protected] Subject: Re: [FW-1] web server on secure lan If you want to route back into the same interface you came out of you can't do it. You can route from a hide Nat'ed LAN to a legal IP which is statically routed to in internal host in a separate DMZ on a difference interface. Hal > -----Original Message----- > From: Russell Washington [mailto:[email protected]] > Sent: Friday, June 14, 2002 12:16 PM > To: [email protected] > Subject: Re: [FW-1] web server on secure lan > > > I don't think it's possible. Presume a ping, for example. You should > (I > think) get the following sequence of events. > > - Ping from: Internal Address X to Public Address Z; > > - Inbound (to FW) packet passes security policy, gets sent to OS for > routing decision; > > - Routing tables say "packet is bound for address on external > interface (whether part of subnet or not), send it to that NIC and out > the door; > > - Outbound (from FW) packet passes security policy; > > - NAT is performed on destination address, so now ping looks like > Internal Address X to Internal Address Y; > > - Packet gets shoved out of external interface with destination of > Internal Address Y; > > - Packet gets either ignored by all devices on the external subnet (if > web server public IP is on that subnet) or dropped by some > upstream-to-the-Internet router, having been shoved out of > the external NIC. > > I haven't done any sniffing to verify the above, but I think that's > how it would work (or, in your case, not work for your techs). > > -----Original Message----- > From: Richard Marshall [mailto:[email protected]] > Sent: Friday, June 14, 2002 8:56 AM > To: [email protected] > Subject: [FW-1] web server on secure lan > > > Hi, > > I'm after some advice/confirmation. > > I have had to setup a test environment webserver on an internal lan > with a NAT to a public IP. Public access now works without problem > (thanks to some > pointers from this list). > > However, the tech guys that have requested the test env. requested > that they should be able to access the public natted ip themselves. > i.e. out from the > lan via a hide address and back into the lan via the nat > address of the > webserver. I was sceptical that it was possible (and am not > sure why they > feel it's necessary). Having spent the day trying every > combination of nat > rules, static routes, etc. that I can think of I have come to > the conclusion > it's not possible. > > Am I right in thinking this, or is it possible after all? > > I am running fw-4.1 sp3 on nokia (it's a distributed environment, but > it is only the lan behind the firewall in question that can't > access the public IP > address.) > > thanks in advance > > rich > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|