On Mon, 16 Oct 2006, Sergio Alvarez wrote:
> A common scenario where you would use DNS doctoring is when you have a
> Public server on a DMZ and you would like for the machines on the internal
> network to be able to access it using it's domain name, but using an
> external DNS for the resolution, which off course resolves a public IP
> address. DNS Doctoring will modify the DNS resolution (which again I don't
> think is possible using Check Point), but if you create a manual NAT rule on
> Check Point that says that whenever the internal network goes to the public
> IP of the server on the DMZ, the source is not NATed, but the destination is
> NATed to the private IP on the DMZ, the traffic should in fact reach its
> destination. Off course this workaround would not affect the output of an
> nslookup issued on the internal hosts.
This might go horribly wrong if the resulting traffic will end up being
not statefull to the perception of your Check Point firewall.
Say you fire the SYN packet and you send it through the firewall to go
abroad. Then your NAT rule translates and the destination points
internally again and the packet leaves that way.
As the source and destination are now local addresses your SYN/ACK packet
will go directly.
If the ACK packet is send again through the firewall it will drop it as it
missed a staged in the handshake.
This is known as the asymetric routing nightmare and should be avoided.
Wether or not this applies depends on your exact setup.
Hugo.
--
[EMAIL PROTECTED] http://hvdkooij.xs4all.nl/
This message is using 100% recycled electrons.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
