-----Original Message-----
From: Arno Hechenberger [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 14, 2000 2:29 AM
To: FW-1 Mailing List (E-Mail)
Subject: [FW1] Answer: StaticNATLook at Joe Di Pietro's static NAT cookbook.
At the second last page and at the last page (I think it's P15) there is a very detailed Packet manipulation diagram. If you can follow him (it's step by step explained) then you can see, that the way back to your host is not possible for internal hosts.
Arno
> -----Urspr�ngliche Nachricht-----
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]Im Auftrag von
> Ing. Eduardo Frias T.
> Gesendet: Mittwoch, 13. September 2000 19:59
> An: [EMAIL PROTECTED]
> Betreff: [FW1] Static NAT question
>
>
>
>
> Hi.
>
> I have the following problem:
>
> I have an internal web server which I have to make available
> for external
> requests also. So I did static NAT
>
> The rulesI added:
>
>
> <32, 172.16.1.30, 172.16.1.30, FWXT_SRC_STATIC, 148.243.163.133, 0>,
> <33, 148.243.163.133, 148.243.163.133, FWXT_DST_STATIC,
> 172.16.1.30, 0>
>
> Besides that I also added two rules in my policy so I accept http
> connections from any place to the external IP address, and
> also put a rule
> in which I accept everithing from my web server (internal ip ) to any
> place.
>
> I added :
>
> route add 148.243.163.133 172.16.1.30
> and also added the arp entry.
>
> I make a probe and everything works, I can see my web server from any
> external machine
> but when I try to access the web server from any internal
> machine I do
> not get an answer I can only see the web server if I use the
> internal ip
> of the web server but
> if I use the external ip I don't get any response. In the
> logs I see the
> connection is accpeted but I don't get anything.
>
>
> What is happening???
>
> --
> Eduardo Frias
> [EMAIL PROTECTED]
>
>
>
>
> ==============================================================
> ==================
> To unsubscribe from this mailing list, please see the
> instructions at
> http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>
You
can do 1 of 2 things here:
1)
Split DNS
2)
Hack some address translation rules together
1)
Split DNS
Place
a DNS server inside your network with a copy of the zone used by your external
providers. Replace all entries with the internal addressing, as required. Force
all internal clients to use this DNS server. Have the DNS server forward unknown
requests to your external DNS that you have set up currently. Do not allow this
server to update anyone. Your internal clients will now be able to browse your
internet hosts by typing in the name - and they will resolve to the internal
IPs
2)
Address translation rules
If you
have hosts on other segments of the firewall that need to get at this box, put a
rule similar to this in the address translation rulebase. This won't work if the
hosts requiring the resource are on the same segment.
SRC
DST
XLateSRC XLate DST
Internal_Networks
Internal_Networks
Orig
Orig
But it
will work for any traffic that has to pass through the firewall to get to the
host (e.g. if you have multiple firewall interfaces with other nets on them, or
the dmz requires to get to the host).
Hope
this helps!
Chuck
- [FW1] Answer: StaticNAT Arno Hechenberger
- Chuck Melanson
