Hi,
We're trying to demo client-server software which crosses our firewall (and the
atlantic). All communication is by UDP packets.
The machine we're setting the demo up on is a machine on our internal
network (which is a 172.18.0.0 net). This machine is called int_ip.
To allow connections to this machine our ISP has added a routable IP
with the DNS entry ext_ip at their site.
I've created a network workstation object for this machine and set it to
have static natting for the ext_ip. I've added a rule which enables UDP
high ports and certain other services to/from the int_ip.
And it works...in general. I can ping external machines which see the
pings coming from ext_ip and not int_ip. If I snoop on the internal
interface of the firewall I see the pings coming from int_ip. If
I snoop on the external interface I see the pings coming from ext_ip.
Other services, like ssh, work fine too.
The problem occurs when we start the demo. When the demo starts up
(on int_ip) it sends a packet on port 3111 (say). The server
sees this packet coming from ext_ip (good). It sends an ack and tells
the client (at ext_ip) to start sending to port 3112 (say). The client
(int_ip) see this and starts sending to port 3112. This is where the
problem begins. The firewall doesn't seem to nat the packets sent to
port 3112.
Snooping the firewall interfaces: the internal interface shows all
UDP for both 3111 and 3112 coming from int_ip. The external interface
shows all UDP to 3111 as coming from ext_ip but all UDP for 3112 as
coming from int_ip.
It seems the firewall gets confused when the client starts sending to
a new port. Just to reiterate, the ports don't seem to be the problem
themselves. It is when an existing client starts sending to a new port.
No natting occurs on the packets for the new port.
Any clues as to what might be wrong?
Many thanks,
- Michael
===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================
