-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: Roman Serbski [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 09, 2001 10:43 PM
>
> Sorry if this question is FAQ but I still do not have any
> idea how to do it...
> My question is about transparent proxy and port forwarding.
> Please, tell me in general - IS IT POSSIBLE to redirect ports?
> [...]
> After switching to
> Solaris+Checkpoint I couldn't find any
> <redirect> or <forward> actions.
> My configuration: Solaris 5.7, FW1 4.1 SP4.
Roman,
sure it's possible. You can redirect any port to a statically NAT'ed
device to a different device. As far as I know, you can not use the
firewalls external IP address, but someone may correct me on that.
I'm using port forwarding as well. Here's how you do it:
Create an object names Int-HostA with a static NAT configuration for
host A (i.e. 192.168.1.1 [internal] NAT'ed to 10.10.10.10
[external]). Every connection from the outside will be NAT'ed and
passed on to that host. Also create an object Ext-HostA with the
external IP address (10.10.10.10), do not use NAT on this one. Now
create an object named Int-HostB for host B with a hide NAT
configuration, using the same external IP address of host A (i.e.
192.168.1.5 NAT'ed to 10.10.10.10).
Then select the Address Translation Rules tab. You should see:
Int-HostA / any / any // (s)Int-HostA / original / original
any / Int-HostA / any // original / (s)Int-HostA / original
for the static translation, and
Int-HostB / any / any // (h)Int-HostB / original / original
for the dynamic translation.
Above all the automatic rules, create a new rule that reads:
any / Ext-HostA / MyPort // original / (s)Int-HostB / original
Since the translation rules are processed from top to bottom, any
incoming request to the external IP address of Host-A on MyPort (a
port or service of your choosing) will be redirected to MyPort on
Host B (during translation, the destination address will be
re-written).
As far as I know you can not use the firewalls external IP address
since any connection to it would end on the firewall itself. You have
to create a statically NAT'ed device with its own external IP
(remember to set routes and entry in local.arp). In this case the
connection will be routed through the firewall, and based on port you
can re-write the destination address.
Note that Host A and Host B have to reside on the same internal
network since the firewall routes the packet before the translation
(and redirection) occurs.
Regards,
Frank
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.
iQA/AwUBO0tsIpytSsEygtEFEQLC9gCfUwXAEYYbBve5CeQYhz/vQ8oDhBQAnjVe
rSE3fuz6ln7ZNcu+y6jevLpZ
=rpdi
-----END PGP SIGNATURE-----
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
