On Fri, May 26, 2000 at 04:37:54PM -0700, Paul Keser wrote:
>
> You will need to create you NAT rules manually instead of using automatic
> NAT rules on your network objects.
>
> Then you can create a similar NAT ruleset:
>
> Original packet Translated packet
> Src Dest Svc Src Dest Svc
> NetA NetB any orig orig orig
> NetB NetA any orig orig orig
> NetB any any hideB orig orig (hide NAT)
> wsrvr any any wsrvrN orig orig (Static NAT)
> ftp any any ftpN orig orig (Static NAT)
>
>
> NetA = 10.230.230.0 network object
> NetB = 10.230.231.0 network object
> hideB = Workstation object in 207.46.10.0 address space for hide NAT
> wsrvr = workstation object for www server in NetA
> wsrvrN = workstation object in 207.46.10.0 address space for www server's
> routeable address for static NAT
> ftp = workstation object for ftp server in NetA
> ftpN = workstation object in 207.46.10.0 address space for ftp server's
> routable address for static NAT
>
> I am assuming that NetA is going to be where you put WWW, Email and other
> publicly addressable servers (frequently called DMZ). If you plan to use
> non-routeable addresses (RFC 1918) you will need to use static NAT to map
> each server to a routeable IP address and add static host routes for these
> routeable addresses pointing to the rfc 1918 addresses. Also if the
> addresses you are using are in the 207.46.103.0 network you will also need
> to configure the firewall to proxy ARP for the routeable addresses.
>
> I hope this helps.
I does (I think). I will set up a lab to test the concepts. What I
read from this is the address translation "rules" can be applied in
first match sequence like the normal access rules... this is useful,
except that I've a lot of point/click/cussing ahead of me. Sad that it
is tied to the windows GUI, that's um, tedious in my current
configuration. Not that the OpenLook interface is/was really any
more/less useful, just wishing they had something that wasn't so
OS/platform-centric.
'n just for clarification (to others that may be reading this
thread), the NetA in the above config is not a directly accessible
(external) perimeter network, but a wan connected sub-net that is a
quasi-internal network, so static NAT isn't required, nor
desired. Meaning they should look like yet another internal user on
outbound Internet access, but have restricted access to internal
systems. The external services perimeter network addresses falls into
a truly routeable block something like a "207.46.11.0..." in this
example and doesn't appear in the previous diagrams. I left this out
for simplification and used the internal addressing solely to simplify
and mask the true customer address space.
and Thanks Paul!
fj..
--
"The days are just packed!" Calvin & Hobbes
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
