to secure it better, I would add a rule in the firewall for dropping any incoming traffic to xxx.xxx IPs. This would take care of router getting compromised at any point of time.... the solution u implemented was only able to NAT the outgoing traffic, the incoming was still open.... -Loge VK
On 9/15/05, Ray <[EMAIL PROTECTED]> wrote: > > Thanks for the confirmation. In fact that is precisely what we're going to > do and why we're doing this. For whatever reason, I thought FW-1 would > change the Internet-accessible IP address from xxx to yyy. > > Ray > > > >From: cisco4ng <[EMAIL PROTECTED]> > >To: [email protected] > >CC: [EMAIL PROTECTED] > >Subject: Re: [FW-1] Question about Static NAT with two public IPs > >Date: Wed, 14 Sep 2005 18:03:00 -0700 (PDT) > > > >Ray, > >The Firewall is just a routing device with CP software > >on it. Therefore it is reasonable that you can access > >both xxx.xxx.123.123 and yyy.yyy.123.123 because the > >upstream device in front of the firewall (probably > >router) has either static or dynamic routes to go to > >the xxx.xxx.123.123 by pointing to the firewall. > > > >The easiest thing to do is to remove the route on the > >upstream device so that it does not know how to get to > > > >xxx.xxx.123.123 and the only way to get to it is via > >yyy.yyy.123.123. Without removing this route, no > >amount of NAT can change this behavior. > > > >Cisco router behaves the same way. > > > >HTH > >cisco4ng > > > >--- Ray <[EMAIL PROTECTED]> wrote: > > > > > Yes, this has been a thoroughly confusing week. > > > Thanks for noticing. :-) > > > > > > I'm working with a company that uses public IPs on > > > their internal network > > > because it's fifteen years old. They have been > > > allowing direct connections > > > to each internal computer directly from the Internet > > > (no NAT). We now have > > > Hide NAT configured to at least obscure the internal > > > IP space from the > > > Internet. > > > > > > We're trying to set up Static NAT to do the same > > > with their internal > > > servers. The internal "public" IP is > > > > > > xxx.xxx.123.123 > > > > > > and the "Static" address set on the server node > > > object NAT tab is > > > > > > yyy.yyy.zzz.123 > > > > > > Interestingly, BOTH IP addresses are now accessible > > > from the Internet. > > > There's only one node object with that > > > xxx.xxx.123.123 internal IP address > > > and it's only specified in one rule. > > > > > > Is this normal behavior for R55? I would have > > > thought that adding the static > > > NAT entry would have blocked the internal IP address > > > from being accessible > > > from the Internet, but it didn't. > > > > > > Thanks, > > > > > > Ray > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > > > > > > > >__________________________________ > >Yahoo! Mail - PC Magazine Editors' Choice 2005 > >http://mail.yahoo.com > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
