|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Destination Static NATting
I now have 2 NICs. Internal [10.0.0.0/8] --> [10.0.0.1] FW-1 [172.16.3.20 & 172.16.30.20] --> External The 10.0.0.1 is on the first NIC, while the 172.16.0.0/16 IPs are on the 2nd NIC. I followed everything to setup a Static Destination NAT, and the last step I did is to add a persistent route on my routing table: route add -p 172.16.30.20 10.0.0.4; wherein the 10.0.0.4 is the web server. Here's the routing table after adding the new route: 172.16.30.20 - 255.255.255.255 - 10.0.0.4 - 10.0.0.1 Basically, the route was added on the first NIC. Isn't it supposed to be added on the 2nd NIC wherein the external IPs are bound? I tried forcing it to be added on the 2nd NIC but I would get "error 87". Still, the HTTP traffic is being accepted only on 172.16.30.20. There's no trace on the log that it is being translated into 10.0.0.4. Any assistance is highly appreciated. Thanks, Maenard -----Original Message----- From: Lars Troen [mailto:[email protected]] Sent: Wednesday, August 21, 2002 9:24 PM To: [email protected] Subject: Re: [FW-1] Destination Static NATting I've never tried such a config but I *do* believe it will cause problems. This because the firewall will send an icmp packet to the client to tell it that since the trafic is on the same interface it will not need go through the firewall. If you check your client pc you will also see that you've got a static route that will make you unable to get any external contact because of these problems is making the pc trying to connect to the internet without any natting being performed. So, you are probably better off get another NIC for your firewall, they don't cost a fortune anymore (EUR/$15). Lars > -----Original Message----- > From: Maenard Martinez (TS-PH) > [mailto:[email protected]] > Sent: Wednesday, August 21, 2002 12:27 > To: [email protected] > Subject: Re: [FW-1] Destination Static NATting > > > Thanks, Neil. But the problem is that I only have 1 NIC. Both logical > internal and external IPs are located on the same NIC. Does > this pose a > problem? Thanks in advance. > > -----Original Message----- > From: Ronneil Camara [mailto:[email protected]] > Sent: Wednesday, August 21, 2002 12:59 PM > To: [email protected] > Subject: Re: [FW-1] Destination Static NATting > > > Hey, looks like you forgot to execute the route command. You > should add a > route on external address pointing to the internal target > address of the > server. > > Parang ganito: > > route add 172.16.30.20 mask 255.255.255.255 10.0.0.4 > > Try this :) > > Maenard Martinez (TS-PH) writes: > > > Hi! > > > > I have a lab wherein I am simulating the setup below: > > > > Objective: Let external IPs (172.16.0.0/16) connect to the Internet > services > > on the 10.0.0.0/8 network > > > > FTP/SMTP/HTTP [10.0.0.4] --------- [10.0.0.1] FW-1 SP1 > > [172.16.3.20/172.16.30.20] -------------- External > > > > The 10.0.0.4 hosts the internet services, and its gateway > is 10.0.0.1. Two > > valid (logically) IP addresses are bound that will act as > external IP > > addresses (FW-1 has only 1 NIC and I did an IP aliasing to simulate > multiple > > NICs. > > > > I did the following already on the Policy: > > > > SOURCE DESTINATION SERVICE ACTION > > Any 172.16.30.20 FTP/HTTP/SMTP Accept > > > > > > For the NAT, I have these: > > > > [ORIGINAL PACKET] [TRANSLATED > PACKET] > > SOURCE DESTINATION SERVICE SOURCE DESTINATION > > SERVICE > > Any 172.16.30.20 Any Orig > 10.0.0.4 > > Orig > > > > I also retrieved the MAC address of the NIC of the FW-1 and > added it on > the > > local.arp and installed the policy. On the article from PhoneBoy, it > > mentioned the IP spoofing configuration. I am not familiar > with the said > > configuration? > > > > After following the steps (except for the IP spoofing), it > still doesn't > > work. According to the log, the traffic from the external is being > accepted > > by 172.16.30.20, but that's it; there's no indication that > the traffic is > > being forwarded or translated to 10.0.0.4; but the FTP > traffic is being > > accepted by 172.16.30.20. I also have this route on my routing table > > (NT4.0): > > > > Network Destination Netmask Gateway Interface > Metric > > 172.16.30.20 255.255.255.255 127.0.0.1 > 127.0.0.1 > > 1 > > 172.16.30.20 255.255.255.255 10.0.0.4 > 10.0.0.4 > > 1 > > Default Gateway: 10.0.0.1 > > > > Am I missing something? > > > > Any feedback is highly appreciated. > > > > Thanks, > > Leo > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
