I agree with Jim,
link to phoneboy's doesn't work to NG.
I tested with tcp_wrappers and Netcat, modifiying
/etc/services and
/etc/inetd.conf, and that's right, but NG doesn't
translate anything (I don't
need any NAT rule)
I tested a new service "other", named
telnet_mapped, with IP protocol 6
and Match definition with SRV_REDIRECT (23,
telnethost, 23) and this works
fine!!!, but I don't
need this NAT rules :
NAT RULES
:
Any Firewall http Original Webserver Original Gateways
Any Firewall telnet Original Internalserver Original Gateways
Any Firewall http Original Webserver Original Gateways
Any Firewall telnet Original Internalserver Original Gateways
Only need this NAT rules (to get out
Internet from internal Lan):
Internal_lan Internal_lan
any Original Original Original
Internal_lan
any
any Original Valid_IP Original
And the only RULE necessary is
:
Negate Internal_lan
Firewall
telnet_mapped Accept
Log
Any
Any
Any
Drop Log
This works fine!!! I can see in Xlated destination
packets when I do telnet to
external ip address like this
:
61.62.63.123 (Origin)
Firewall (Destination) telnet (Service) 5
(rule number)
Accept
telnethost(Xlated dest.) telnet
(Xlated port)
I think phoneboy's document it's wrong in some
things or not well explained to me.
Raul
----- Original Message -----
From: "Jim Parker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 23, 2002 1:12 PM
Subject: [FW-1] NG NAT with one valid IP doesn't
work
>
> A question has been asked about port address translation. a subscriber has
> answered this request for information by posting a link to phoneboys website
> which has an faq which explains that on ng you can use network address
> translation to translate the public ip of the firewall port 80 to a private
> address on port 80. (the firewall in this scenario has a single public ip).
>
> i have tested this on two versions of ng on two platforms. i had no success
> on either using the following nat rule.
> (note: tested on ng fp1 ipso and ng fp2 wink2
>
> ORIG PACKET TRANS PACKET
> any - firewall - http orig - web_server - orig
>
> I did however have success using this 'single public ip bound to the
> firewall external nic' scenario by using an 'http-mapped' rule as follows:
> (note, this works on 4.1 sp5, ng fp1 ipso and ng fp2 win2k)
>
> any - firewall - http-mapped - accept
> any - web_server - http - accept
> any - any - any - drop
>
> Note, the 'http-mapped' match is set to
> 'SRV_REDIRECT(80,<web_server_ip>,80)'
>
> For these tests i had client side nat enabled and the rule base was any
> accept.
>
> I tested another scenario: 2 public ip's. one bound to the firewall external
> nic, the other i added a proxy arp entry for it in voyager. i the used
> network address translation rule to port translate and ip translate. this
> was successful. (as one would expect) (tested on ng fp1 ipso).
>
> ORIG PACKET TRANS PACKET
> any - proxy_arp_pub_ip - http orig - web_server - orig
> web_server - any - any proxy_arp_pub_ip -
> rig - orig
>
>
>
>
>
>
> ----- Original Message -----
>
> Subject: Re: [FW-1] NG NAT with one valid IP doesn't work
>
>
> And again :-) :
>
> http://www.phoneboy.com/faq/0428.html
>
> Tells it all....
>
> Theo
>
>
>
