-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well... I bet it is 'not supported' and for that reason 'not
possible', but it does work. At least on FW-1 4.0 SP4 with NT 4.0
SP6a (haven't tried FW-1 4.1 yet, but I imagine it will work on a 4.1
as well since there aren't that many changes to the way the state
table handles traffic).
Regards,
Frank
> -----Original Message-----
> From: Doug Schmidt [mailto:[EMAIL PROTECTED]]
> Sent: Friday, October 06, 2000 1:06 PM
>
> Interesting...I called CP support a few weeks back, looking
> to do this exact
> same thing.
> Basically support told me it could not be done, because of
> the static routes
> in the firewall. The support folk even left me on hold while
> he talked with
> the "Senior" Engineer.
>
>
>
> -----Original Message-----
> From: Frank Knobbe [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, October 05, 2000 7:55 PM
>
> Sure you can do this with FW-1. I'm doing it right now. It's only
> possible due to the state tables tracking ability. Here is how you
> do it:
>
> Create an object FTPserver with a HIDE NAT address of 123.45.67.89.
> Create an object HTTPserver with a HIDE NAT address of
> 123.45.67.89. Create an object OtherServer with a STATIC NAT
> address of 123.45.67.89. Create an object Server-Ext with an IP
> address of 1234.45.67.89.
>
> Define your rules like:
>
> Any - Server-Ext - FTP - Allow
> Any - Server-Ext - HTTP - Allow
> (etc)
>
> Then add Translation rules on top of the NAT table like this:
>
> Any - Server-Ext - FTP -to- Original - FTPServer - Original
> Any - Server-Ext - HTTP -to- Original - HTTPServer - Original
>
> Note that FTPserver and HTTPserver will show an S for static NAT
> although it is a hide NAT object.
>
> Request to HTTP will be redirected to HTTPserver, request for FTP
> to FTPserver. Any other incoming port goes to OtherServer.
>
> When HTTPserver needs to originate a packet (in my case, I use a
> redirected port for SMTP).... let's take FTP. If the FTPserver
> needs to originate a packet, it will be translated to the same IP
> address (.89). However, FW-1 will not in its state table where the
> connection was coming from, so return packets for that connection
> do indeed hit FTPserver and not OtherServer.
>
> Hope this help (to put an end to the port translation/redirection
> debate...)
>
> Regards,
> Frank
>
> PS: Don't forget the proxy arp entry in the local.arp file, and to
> add a route (pointing to OtherServer).
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.
iQA/AwUBOd4WpURKym0LjhFcEQLD9QCdE/2xaUJRwLZM6iFnD4YWbhAqUssAoLxa
qsZJIIeP28VmqLpXz5ocV3Df
=37rV
-----END PGP SIGNATURE-----
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
