RE: [FW1] NAT doesn't work for HTTP and FTP

D330 SCHsu Thu, 18 May 2000 20:33:40 -0700


My English is not well. I hope you can read me.

Our external router connects to the ISP via a lease line and an ADSL. We
want to make all outgoing HTTP traffic (internal user's web surfing) go thru
the ADSL, while the other traffics like mails, ftp, incoming HTTP service
use the lease line. This router can routes the network traffic, as our idea,
by the source address. So I configure an NAT for our internal cache server.

All our intranet nodes are hiding behind a virtual IP address (not the
firewall's external address). I configure another static NAT address for our
internal cache server.

My NAT rules in digest:
1. src CACHE dest ANY svc ANY ----translated----> src CACHE(valid) dest ORIG
svc ORIG
2. src ANY dest CACHE svc ANY ----translated----> src ORIG dest CACHE(valid)
SVC ORIG
(the above are added automatically)
3. src INTRANET dest INTRANET svc ANY ----translated----> src ORIG dest ORIG
svc ORIG
4. src INTRANET dest ANY svc ANY ----translated----> src VIRTUAL IP(hide)
dest ORIG svc ORIG

PS. I use HTTP resource (content security server) for outgoing HTTP.

-----Original Message-----
From: Scott Schindler [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 18, 2000 9:49 PM
To: D330 SCHsu
Cc: Fw-1-Mailinglist (E-mail)
Subject: RE: [FW1] NAT doesn't work for HTTP and FTP



Redirect it how?  Sounds a little like domain load balancing.  Balance from
outside the firewall if so.  Explain why and we can probably offer more
assistance.

-----Original Message-----
From: D330 SCHsu [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 17, 2000 10:10 PM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: RE: [FW1] NAT doesn't work for HTTP and FTP



So, how do I make the NAT rule effect before the outbound HTTP rule? I have
no idea with this.
Beside, in page 207 of the AA book (version 4.0), address translation takes
place after the security rule.

It's very important to me since I want to redirect the HTTP traffic to
another line in the router.
The router can redirect traffic depending on source address.

Marcus

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 17, 2000 9:46 PM
To: D330 SCHsu
Subject: RE: [FW1] NAT doesn't work for HTTP and FTP


This is simply because your outbound WEB rule is occuring before your static
rule for the server. 
As long as your other services are working OK, I wouldn't worry about it.

Thomas

-----Original Message-----
From: D330 SCHsu [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 17, 2000 3:48 AM
To: '[EMAIL PROTECTED]'
Subject: [FW1] NAT doesn't work for HTTP and FTP



Hi.

I have set a NAT for one internal workstation and the NAT rule is
automatically generated, but I found the source address is translated to the
firewall's external address when it initilals HTTP or FTP request, but not
the NAT I specified. Hwoever, the NAT is effective for other services.

Example:
the workstation internal IP address is 10.2.1.1, the NAT I set is 202.2.1.1
the firewall external IP address is 202.2.1.250

If I try to use HTTP or FTP on 10.2.1.1, its address is translated to 202.2.
1.250
If I try to use telnet, pop3, nntp..., it's translated to 202.2.1.1.

Anyone can help me?

---------------------------------------------------
o   Marcus Hsu, Shyh-Chieh (ext. 7639)      O     o
o   D330 Systsem Engineer, IT Div.        <\-/>   o
o   Winbond Electronics Corp.             _/ \_   o
o   My Homepage: http://Marcus.Hsu.net/           o
o                http://Marcus.idv.tw/            o
---------------------------------------------------



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] NAT doesn't work for HTTP and FTP

Reply via email to
