Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] FW: Dual Address Translation

To: [email protected]
Subject: [FW-1] FW: Dual Address Translation
From: McCracken Peter <[email protected]>
Date: Mon, 27 May 2002 11:38:45 +0100
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Folks,

I think I know what I need to do here but I would like some input from
the experts......

My scenario is this...



    Customer Network                                   192.150.119.x
        5.3.x.x                                        184.10.120.x
    -------------------- Router ------ Firewall ------- Local LAN ----------
Router
                        Ethernet    hme0 192.150.119.220
!
                      5.3.101.251   qfe3 5.3.101.250
!

!

WAN

!

!

!
                                                 App Server -----------
Remote Network
                                               192.161.20.45
192.161.20.x

The IP addressing is disguised for security reasons.
The 5.3.x.x is routable locally on our LAN but not across corporate WAN.
Clients on the 5.3.x.x network need to establish telnet connections with the
App Server at 192.161.20.45.
The 192.161.20.x network is not routable on the customer network.
I am using Checkpoint Firewall-1 4.1 on Sun Solaris.

In order for this to work I assume I need to do the following.....

1. Setup a proxy arp for an address 5.3.101.249 on the firewall.
2. Configure a static route on the firewall mapping 5.3.101.249 to the
default
gateway on my LAN 192.150.119.1.
3. Setup the following objects : source network, server-external-address,
server-internal-address.
4. Create a rule to allow traffic from the customer network to the app
server external address.
5. Create the following NAT Rule

Source           Destination               Service  Source Tr
Destination Translated

source-network   server-external-address   any      fw-internal
server-internal-address


Does this look okay ? Anything else I need to include ?

Also, I have confused myself about the firewall internal IP can I use the
existing firewall gateway object, or should I create a separate object
specifying the the firewall internal hme0 address. Should I be translating
to this address at all ? or should I be using a different address on the
192.150.119.x network and configuring another proxy arp.

The reason I am NATing the source address is because our WAN does not know
about the
5.3.x.x network, and due to the usual political stuff it cannot be added to
the routers.

Your comments and thoughts are very welcome !

Best Regards, Peter.

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] FW-1 Site-to-site VPN with Cisco PIX in the middle.
Next by Date: [FW-1] slightly OT - multihoming (?)
Previous by thread: [FW-1] Linux kernel panic
Next by thread: [FW-1] slightly OT - multihoming (?)
Index(es):
- Date
- Thread