Cory,
Am I safe in saying that your using pre v4.1sp2 or
pre v4.0sp7?
In both examples, the connection is cleared from
connection table, although possibly in a different
fashion which I can't tell. But the question is, if I
may reword it, why does the fw treat these
differently, when it appears to be the similar
scenario?
My _guess_ would be that the NAT table entry
is also cleared and may be checked first. Since
the conenction no longer exists in this table, the
fw disallows the re-establishment of the
connection.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> <[EMAIL PROTECTED]> 8/24/00 3:06:40 PM >>>
>
>Observe the following policy:
>
>Security Policy
>No. Source Destination Service Action
>1 Any Any Any accept
>
>Address Translation
>No. Original Packet Translated Packet
> Source Destination Service Source Destination Service
>1 Any host-1 Any =Orig host-2 =Orig
>2 host-2 Any Any host-1 =Orig =Orig
>
>The policy rule allows everything. The NAT is a simple pair of static source
>mode
>and static destination mode rules. Think of host-2 as the invalid internal
>address
>and host-1 as the valid address which can be used from outside the firewall.
>
>Here's the problem:
>1) Telnet to host-1 from outside the firewall. The connection is established to
>
>host-2 (as expected) and everything works fine as long as you keep the
>connection
>active.
>2) If you sit idle long enough (in my case the firewall clears the connection
>table
>after 200 seconds of inactivity), then when you try to do anything (like just
>hit a
>key in your telnet session), you get a "connection to host lost" message.
>
>Without NAT:
>If you're not using NAT, and you ran the same test (just connecting directly to
>a
>machine), there is no problem when the connection is cleared from the firewall's
>
>connection table. The next time you transmit any data (like hit a key), the
>firewall
>simply re-authorizes the connection and everything continues as if nothing ever
>happened.
>
>What's the difference? Why does using NAT cause a lost connection? What can be
>
>done to make NAT work as transparently as not using NAT? Both my ISP and
>Checkpoint
>technical support say to just increase the time-out. But that's not the point,
>I want
>to understand why the firewall behaves differently using NAT here. NAT is a
>pretty
>common thing, is this causing anyone else a problem?
>
>Corey Hull
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
