On Fri, 02 Jun 2000 05:33:24 -0700, Jerald Josephs wrote:
>It is more accurate to state that NAT is one of the last things that
FW-1
>will
>do rather than stating that it occurs on the outbound interface. I
know that
>we
>have stated that NAT occurs on the outbound interface before, but
that is
>not
>what is happening on all platforms FW-1 runs on.
Well, at least the FW-1 manuals shows it in this way (I'm talking
about V4.0 here)
>
>Unfortunately, since this thread does not include all responses, it
is not
>easy
>to determine what was suggested and what does and does not work.
No additional responses via private mail.
>
>Going back to Joerg's original email. I see that he wants to use
Static NAT
>to translate the valid, external IP address associated with this
site's MX
>record
>to the invalid, internal IP address assigned to the SMTP server,
which has
>been
>relocated behind the firewall.
>
>But, I only see the FWXT_DST_STATIC rule. What about the
FWXT_SRC_STATIC
>rule? What has been done to enable the SMTP server to have its
packets
>translated
>back to the valid, external IP address?
Yeah, that was the easy part and has been done by automatic NAT rules.
The tricky part is to catch the SMTP traffic and translate the
destination address to a new server that is located in the great wide
open (where the other server has been located before). To achieve this
I created the rule descibed in my original post. I this would work,
the answer packets from this server to the sender won't touch the
firewall again, hence I don't need a "translate back" rule.
Maybe this ASCII "Art"work can clearify what I mean:
valid address private address
traffic-----------------> NAT ----------->
+---------+
/~~^''') +----------+ |relocated|
Internet)------+--------| FW-1 |-----------| mail |
_______) | +----------+ | server |
^ | |special NAT +---------+
| +---------+ |(SMTP)
| | new |<-----+to new server with a valid address
+-----| mail |
answer | server |
to +---------+
sender
My experiments show that SMTP traffic is indeed translated to the new
servers address, but is routed to the segment where the old
(relocated) server resides.
Kind regards,
Joerg
// pallas GmbH ............ Joerg Oertel ...........
Hermuelheimer Str. 10 System engineer
D-50321 Bruehl, Germany [EMAIL PROTECTED]
phone +49-(0)2232-1896-0
http://www.pallas.de fax +49-(0)2232-1896-29
........................................................
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
