[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Port-sensitive redirection to multiple servers using on e single Hide-NAT address
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well... I bet it is 'not supported' and for that reason 'not possible', but it does work. At least on FW-1 4.0 SP4 with NT 4.0 SP6a (haven't tried FW-1 4.1 yet, but I imagine it will work on a 4.1 as well since there aren't that many changes to the way the state table handles traffic). Regards, Frank > -----Original Message----- > From: Doug Schmidt [mailto:[email protected]] > Sent: Friday, October 06, 2000 1:06 PM > > Interesting...I called CP support a few weeks back, looking > to do this exact > same thing. > Basically support told me it could not be done, because of > the static routes > in the firewall. The support folk even left me on hold while > he talked with > the "Senior" Engineer. > > > > -----Original Message----- > From: Frank Knobbe [mailto:[email protected]] > Sent: Thursday, October 05, 2000 7:55 PM > > Sure you can do this with FW-1. I'm doing it right now. It's only > possible due to the state tables tracking ability. Here is how you > do it: > > Create an object FTPserver with a HIDE NAT address of 123.45.67.89. > Create an object HTTPserver with a HIDE NAT address of > 123.45.67.89. Create an object OtherServer with a STATIC NAT > address of 123.45.67.89. Create an object Server-Ext with an IP > address of 1234.45.67.89. > > Define your rules like: > > Any - Server-Ext - FTP - Allow > Any - Server-Ext - HTTP - Allow > (etc) > > Then add Translation rules on top of the NAT table like this: > > Any - Server-Ext - FTP -to- Original - FTPServer - Original > Any - Server-Ext - HTTP -to- Original - HTTPServer - Original > > Note that FTPserver and HTTPserver will show an S for static NAT > although it is a hide NAT object. > > Request to HTTP will be redirected to HTTPserver, request for FTP > to FTPserver. Any other incoming port goes to OtherServer. > > When HTTPserver needs to originate a packet (in my case, I use a > redirected port for SMTP).... let's take FTP. If the FTPserver > needs to originate a packet, it will be translated to the same IP > address (.89). However, FW-1 will not in its state table where the > connection was coming from, so return packets for that connection > do indeed hit FTPserver and not OtherServer. > > Hope this help (to put an end to the port translation/redirection > debate...) > > Regards, > Frank > > PS: Don't forget the proxy arp entry in the local.arp file, and to > add a route (pointing to OtherServer). -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOd4WpURKym0LjhFcEQLD9QCdE/2xaUJRwLZM6iFnD4YWbhAqUssAoLxa qsZJIIeP28VmqLpXz5ocV3Df =37rV -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|