[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
Dgianna, If you perform this, then what is the static route on the gateway going to look like when the destination packet is destined for 4 or 5 physical servers? Thomas Poole -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, October 05, 2000 2:06 PM To: [email protected] Subject: [FW1] Port-sensitive redirection to multiple servers using one single Hide-NAT address I think you CAN do this with FW-1/VPN-1 . . . ie: you have one address: 123.45.67.89 and you want to route it to a server based on the service, or what port it hits: ie: 123.45.67.89:21 goes to the FTP server 123.45.67.89:80 goes to the http server 123.45.67.89.90:9091 goes to a <custom service> server. Instead of applying global Address Translation rules (which would require a separate hide-mode NAT address for each server), apply the NATing to each object. You can have multiple objects NATted to the same address. ie: when you create the network object that uses port 9091 (remember, you can define a custom service), add the NAT to the object. Do this for each object that hides behind the same shared address. Then create rules to direct the service to each server (ANY, WebServer, http, accept, log), (ANY, FTP_Server, ftp, authenticate, log), (ANY, Your_Server, <custom_9091>, accept, log), etc. This way, if a service hits a particular port, it will be accepted by the corresponding rule, as it goes down the list of rules until it gets to one that accepts it. If none of the rules apply, it gets dropped and logged by your cleanup rule. Alternately, I believe the Address Translation rules are applied in sequential order, so they may be executed in order. So you could have a NAT rule for the workstations, then for the FTP server, the webserver, the mailserver, and filter all the way down. I'd like to to test this and see if it does work sequentially. If so, each NAT rule can be service-sensitive and send the service to the appropriate server. ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|