> Creating static nat does not allow a connection to that > object. There would have to be a rule that allows that.
That much is obvious, and was specifically stated in my message. That fact is not the problem. But the "rule that allows that", allows access to *both* native and NAT IP addresses. A separate rule must apparently be created to prevent that unintended consequence. Say you have a web server, and you've created a host object in FW-1 for that web server, named it "Web_server", populated the IP address property of that object with a private network address like 10.1.1.1, checked the "Add automatic address translation rule" and entered a public internet routable IP address for the device. Then you create a security rule like so: Source Destination Service Action Any Web_server HTTP Allow Now, not only can the world connect to the public internet routable address of your web server, but - if a route exists - also to the private network address. While, because of the missing route, on the internet that's not generally a problem, in my world we have several partner agencies with whom we maintain point-to-point connections. In order to prevent address overlap a static NAT is applied to our web servers we make available to them. As described, without additional rules, those agencies are able to connect to either the NAT address or the private address of our servers. My question is how to best configure those rules. It becomes ugly and clumsy when we need to allow some nets to connect to native IP addresses, but deny others that should only connect to the NAT address. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf > Of Chris H > Sent: Tuesday, December 11, 2007 2:19 AM > To: [email protected] > Subject: Re: [FW-1] Security rules vis automatic static NAT > > Creating static nat does not allow a connection to that > object. There would have to be a rule that allows that. A > suggestion would be to look at your logs and attempt the > connection to the static nat address. Look at the rule > number that is allowing that connection to take place. I > would assume that you will find an unexpected rule is doing an accept. > > --- Dan Lynch <[EMAIL PROTECTED]> wrote: > > > Greetings group, > > > > When using automatic static NAT, how should rules be configured to > > prevent external users from connecting to the host's native IP > > address? > > > > If the rule reads: > > > > Source Destination Service > > Action > > Net_192.168.1.0 Host_object Any > > Allow > > > > And the Host_Object has an automatic static NAT applied, external > > users can access the host's NAT address *or* the native IP. > What's the > > recommended way of configuring rules so this doesn't > happen? Do I have > > to add an object for the host's native IP address, and a > rule for each > > host with an automatic static NAT? > > > > Source Destination Service > > Action > > Net_192.168.1.0 Host_object_native_address Any > > Deny > > Net_192.168.1.0 Host_object Any > > Allow > > > > Yuck. > > > > Worse yet is when we must allow access to the native IP > from internal > > nets. Like so? > > > > Source Destination Service > > Action > > Net_10.1.1.0 Host_object_native_address Any > > Allow > > Any Host_object_native_address Any > > Deny > > Net_192.168.1.0 Host_object Any > > Allow > > > > How do you deal with it? > > > > Dan Lynch, CISSP > > Information Technology Analyst > > County of Placer > > Auburn, CA Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
