I think the more appropriate question Mike is asking, is how to do PAT (Port Address translation), even if the port may stay the same and the external IP address changes. I do agree with Reinhard's answer - get a static IP address, but this still may not help if there is only one address available. The best solution is to get a range of static IP addresses that can be used for multiple static server address translations.
If this is not available, what will need to be done is something similar to the following: 1. Create objects for the external and internal IP addresses of the server needed (the external will be the same as the IP of the firewall - click ok through the dialogue box) 2. Create a NAT rule similar to the following: Original Packet Translated Packet Src Dest port Src Dest port ANY Ext-IP VNC Orig Int-IP Orig 3. Create a rule in the rule base allowing the connection. If possible, in the rule base, limit the SRC to only the IP address that should be allowed to connect via VNC to the machine. Hope this helps, Chris -----Original Message----- From: Shoval Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Dynamic IP NAT Issues on NG FP4 Reinhard, He didn't ask if it was wise, he asked how it's done. Mike - I think you need to create a network object for the host you want to connect to, and in the object property pages, in the NAT tab set it to "hide behind gateway". You also need to add into the rule base a rule that says from where you allow connections to this host. If you'd like to talk about security - Doing hide behind gateway for incoming connections is not the best way to go. One of the reasons is that you just told the whole world what the ip address of your firewall is... I don't remember any more reasons, as I do not allow any incoming connections that are not via VPN over here. In any case I suggest not doing it using VNC, because it's probably not that secure itself. You should try using RDP (Microsoft's remote desktop - a.k.a remote assistance) if it's a windows box, and using ssh with X through it if it's a UNIX/linux box. These are much more secure, and free (at least RDP on windows and ssh on linux) Good luck. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Reinhard Stich Sent: Wednesday, January 07, 2004 4:29 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Dynamic IP NAT Issues on NG FP4 hi, a dynamic IP-address is a bad idea for inbound-connections ... the easiest way is to get a static IP-adresse cheers reinhard At 13:07 07.01.2004, you wrote: >Hi > >I am using NG FP4 on a Secureplatform box. I have 2 NIC cards, 1 >connected to the internal network and the other connected to a NIC >Connected to a cable modem via DHCP > >I have established a simple ruleset to enable internal boxes to see the >internet and connect to an external POP3 server and I have added a rule >dropping all other external packets coming in. > >My Problem: > >I only have one (dynamic) external IP address. I want to allow an >outside VNC session to see one of my internal servers, via port forwarding. However >I am at a loss on how I can do this. I am not sure what to NAT. > >Has anyone else got a similar setup or knows what I should do? > >Thank you > >Mike Huxley >mailto:[EMAIL PROTECTED] >Internet Operations Technician >MM Group Ltd incorporating Contact 24 >http://www.mmgroup.co.uk / http://www.contact24.co.uk >I) 8021 >E) +44 (0)117 9168021 >addr) http://www.mmgroup.co.uk/contacts/addresses.html > >================================================= >To set vacation, Out-Of-Office, or away messages, send an email to >[EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your subscription options, >email [EMAIL PROTECTED] >================================================= -- Reinhard Stich, ASSIST [EMAIL PROTECTED] Internet Security AG, 1150 Wien, Johnstrasse 29 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-10 Kennen Sie unsere Mailing-Listen f�r Techniker? Infos unter https://isecure.internet-security.at/infos.html#2 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
