[FW1] Time-outs only when using NAT

Thu, 24 Aug 2000 12:30:45 -0700 




Observe the following policy:

Security Policy
No.  Source  Destination  Service  Action
1    Any     Any          Any      accept

Address Translation
No.  Original Packet                Translated Packet
     Source  Destination  Service   Source  Destination  Service
1    Any     host-1       Any       =Orig   host-2       =Orig
2    host-2  Any          Any       host-1  =Orig        =Orig

The policy rule allows everything. The NAT is a simple pair of static source
mode
and static destination mode rules.  Think of host-2 as the invalid internal
address
and host-1 as the valid address which can be used from outside the firewall.

Here's the problem:
1) Telnet to host-1 from outside the firewall.  The connection is established to

host-2 (as expected) and everything works fine as long as you keep the
connection
active.
2) If you sit idle long enough (in my case the firewall clears the connection
table
after 200 seconds of inactivity), then when you try to do anything (like just
hit a
key in your telnet session), you get a "connection to host lost" message.

Without NAT:
If you're not using NAT, and you ran the same test (just connecting directly to
a
machine), there is no problem when the connection is cleared from the firewall's

connection table.  The next time you transmit any data (like hit a key), the
firewall
simply re-authorizes the connection and everything continues as if nothing ever
happened.

What's the difference?  Why does using NAT cause a lost connection?  What can be

done to make NAT work as transparently as not using NAT?  Both my ISP and
Checkpoint
technical support say to just increase the time-out.  But that's not the point,
I want
to understand why the firewall behaves differently using NAT here.  NAT is a
pretty
common thing, is this causing anyone else a problem?

Corey Hull
American Management Systems               Phone:  703-267-5332
4050 Legato Road                          Fax:    703-267-5380
Fairfax, VA 22033                         e-mail: [EMAIL PROTECTED]




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to