RE: [FW1] Advanced Misuse Configuration Guide :-)

Thu, 08 Jun 2000 12:05:11 -0700 


Don't know if the thread is dead, but the explanation of NAT is simple,
although certainly not self-explanatory.


FW-1 does NAT on the interface that is farthest from the client (i.e.,
connection originator) and thus furthest from the server (connection
target).

On connections originating inside the network, NAT takes place on the
external interface--all inbound and outbound traffic that is part of that
connection is NATed there.

Likewise, on connections originating outside the network, NAT takes place on
the internal interface for all packets traveling in either direction.


This does not rule out the possibility that I am completely
misinformed......

Hope this helps somebody...


Michael

-----michael cannella   ccsi   mailto:[EMAIL PROTECTED]
-----Internet Security Systems, Secure University
-----http://www.iss.net/




> -----Original Message-----
> From: Joerg Oertel [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 02, 2000 10:01 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [FW1] Advanced Misuse Configuration Guide :-)
> 
> 
> 
> On Fri, 02 Jun 2000 05:33:24 -0700, Jerald Josephs wrote: 
> 
> >It is more accurate to state that NAT is one of the last things that 
> FW-1
> >will
> >do rather than stating that it occurs on the outbound interface. I 
> know that
> >we
> >have stated that NAT occurs on the outbound interface before, but 
> that is
> >not
> >what is happening on all platforms FW-1 runs on.
> 
> Well, at least the FW-1 manuals shows it in this way (I'm talking 
> about V4.0 here)
> 
> >
> >Unfortunately, since this thread does not include all responses, it 
> is not
> >easy
> >to determine what was suggested and what does and does not work.
> 
> No additional responses via private mail. 
> 
> 
> >
> >Going back to Joerg's original email. I see that he wants to use 
> Static NAT
> >to translate the valid, external IP address associated with this 
> site's MX
> >record
> >to the invalid, internal IP address assigned to the SMTP server, 
> which has
> >been
> >relocated behind the firewall.
> >
> >But, I only see the FWXT_DST_STATIC rule. What about the 
> FWXT_SRC_STATIC
> >rule?  What has been done to enable the SMTP server to have its 
> packets
> >translated
> >back to the valid, external IP address?
> 
> Yeah, that was the easy part and has been done by automatic 
> NAT rules. 
> The tricky part is to catch the SMTP traffic and translate the 
> destination address to a new server that is located in the great wide 
> open (where the other server has been located before). To 
> achieve this 
> I created the rule descibed in my original post. I this would work, 
> the answer packets from this server to the sender won't touch the 
> firewall again, hence I don't need a "translate back" rule.
> 
> Maybe this ASCII "Art"work can clearify what I mean:
> 
> 
> 
>            valid address             private address 
> traffic----------------->    NAT    ----------->
>                                                 +---------+
> /~~^''')                 +----------+           |relocated|
>  Internet)------+--------|   FW-1   |-----------|   mail  |
> _______)        |        +----------+           |  server |
>      ^          |           |special NAT        +---------+
>      |     +---------+      |(SMTP)
>      |     |   new   |<-----+to new server with a valid address
>      +-----|  mail   |
>   answer   | server  |
>     to     +---------+
>   sender
> 
> 
> My experiments show that SMTP traffic is indeed translated to the new 
> servers address, but is routed to the segment where the old 
> (relocated) server resides.
> 
> Kind regards,
> 
> Joerg
> 
> // pallas  GmbH  ............  Joerg Oertel  ...........
>    Hermuelheimer Str. 10       System engineer                   
>    D-50321 Bruehl, Germany     [EMAIL PROTECTED]           
>                                phone  +49-(0)2232-1896-0 
>    http://www.pallas.de        fax   +49-(0)2232-1896-29
> ........................................................
> 
> 
> 
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to