The NAT trick to FW-1 is to understand you have to get the NT server to do
most of the work for you first.
The data traffic has to believe it's being routed even to through mail
server. FW-1 doesn't direct data traffic, the NT OS does.
1. You have to get the firewall to answer to the NAT IP address via ARP and
maybe even help it with a static mapping in the external router. Basically
the mail NAT address you're looking for is found behind this router (the
firewall).
2. Second you have to tell NT what you indend to do with those packets
coming in for that NAT address. You do that with a another static route
this time, on the firewall, pointing to the Mail server as if the mail
server was but a router on the way to the NAT address.
So before you even get to FW-1 settings, you are telling the network the
FW-1 server is the router for the Mail NAT address and then you're telling
the FW-1 server that the mail server is the next router on the way to the
NAT mail address.
3. Now you set up the static rule in FW-1 to translate the packets on their
way though the server. See the packets before step three are already headed
for the mail server. FW-1 just changes the IP address in the header on it's
way though the cards. Only now the packet is not being routed though the
mail server the packet has the IP address of the mail server and it uses it.
The returning packets from the mail server back to the client will be taking
a normal route back out to the internet, only the address that the packet
started with, (the internal mail IP) will be edited again on it's way though
the FW-1 server and the internal IP address will be replaced in the packet
header with the mail NAT address on it's way through.
Once you understand you have to make the NT OS do most of the routing work
for NAT translations in FW-1, it really gets easy to do and troubleshoot.
I can be more specific and detailed if you need more info on this subject.
Kevin Rouse
> -----Original Message-----
> From: Mikael Olsson [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, June 23, 1999 5:00 AM
> To: Slife, Andrew M., CTR, OSD/P&R
> Cc: [EMAIL PROTECTED]
> Subject: Re: NAT weirdness on FW-1
>
>
> Easily explained.
>
> Let's assume two networks. 1.x is publicly accessible,
> and 1.1 is the firewall's external interface. This is
> also the address that people would SMTP to.
>
> 2.1 is the firewall's internal interface.
> 2.2 is your client.
> 2.3 is the mail server.
>
> Client sends request
> 2.1 -> 1.1:25
> Firewall does static NAT
> 2.1 -> 2.3:25
> mail server receives and responds
> 2.3:25 -> 2.1
>
> This gets sent directly over the LAN, and hence
> your client gets the response from a different
> IP than it originally contacted.
>
> What you need to do (and, to my knowledge, you
> cannot do this with FW-1 in a secure manner,
> someone else care to elaborate?) is:
>
> Client sends request
> 2.1 -> 1.1:25
> Firewall does static NAT
> 2.1 -> 2.3:25
> Firewall ALSO does NAT-hide
> 2.1 -> 2.3:25
> Mail server receives and responds
> 2.3:25 -> 2.1
> This is received by the firewall, which does the hide reverse
> 2.3:25 -> 2.2
> And also the static translation reverse
> 1.1:25 -> 2.2
>
> And sends to the client, which happily accepts it!
>
> Yes, people, this is means every packet makes noise
> on the internal lan TWICE. No, it's not good, but
> the only way to actually make it work.
>
> What you probably can do though, is to set up
> a split DNS, that reports mail.mycompany.com as
> being 1.1 for external people, and being 2.3
> to internal users. (I'm assuming this is where
> the problem really lies?)
> "Slife, Andrew M., CTR, OSD/P&R" wrote:
> >
> > Are your internal addresses routable? Even though you are using NAT, if
> the
> > internal addresses are from the private ranges, SMTP no workie workie
> with
> > FW-1 NAT (even though it seems like it should). In a previous
> incarnation,
> > I had NAT for my 10.x internal ranges and it Would Not Work (getting
> > inexplicable results like those you describe). When the box was put in
> the
> > DMZ and given a valid public IP address, NAT worked with SMTP.
> > Andrew
> >
> > Jen wrote:
> >
> > Okay, I've setup NAT lots and lots of times, but this problem is
> > driving
> > me crazy. I setup an SMTP server on an NT workstation for
> testing
> > purposes. I setup address translation on the FW for that
> machine.
> > However, when I try to telnet to port 25 from the outside world,
> > nothing
> > happens. I look in the firewall logs, and it says it accepted
> the
> > connection. Furthermore, when I telnet out from the workstation
> in
> > question, the source address is the valid (translated) address.
> So
> > translation seems to be working, at least outgoing.
> >
> > As a test, I pointed the valid address to another internal IP.
> > After I
> > did that, I could telnet to port 25 just fine from the outside
> > world. I
> > switch it back, and nada. The problem might be the workstation,
> > except
> > ... when I telnet to port 25 from the internal network, it works
> > just
> > fine.
> >
> > Any ideas?
> >
> > Jen
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
> WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
