| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] web server on secure lan
- To: [email protected]
- Subject: Re: [FW-1] web server on secure lan
- From: Hal Dorsman <[email protected]>
- Date: Fri, 14 Jun 2002 14:33:27 -0600
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcIT0+zN2LZjDnXHTZy/6eKUBpFFNgADpWzQ
- Thread-topic: Re: [FW-1] web server on secure lan
If you want to route back into the same interface you came out
of you can't do it. You can route from a hide Nat'ed LAN to a
legal IP which is statically routed to in internal host in a
separate DMZ on a difference interface.
Hal
> -----Original Message-----
> From: Russell Washington [mailto:[email protected]]
> Sent: Friday, June 14, 2002 12:16 PM
> To: [email protected]
> Subject: Re: [FW-1] web server on secure lan
>
>
> I don't think it's possible. Presume a ping, for example.
> You should (I
> think) get the following sequence of events.
>
> - Ping from: Internal Address X to Public Address Z;
>
> - Inbound (to FW) packet passes security policy, gets sent to
> OS for routing
> decision;
>
> - Routing tables say "packet is bound for address on external
> interface
> (whether part of subnet or not), send it to that NIC and out the door;
>
> - Outbound (from FW) packet passes security policy;
>
> - NAT is performed on destination address, so now ping looks
> like Internal
> Address X to Internal Address Y;
>
> - Packet gets shoved out of external interface with
> destination of Internal
> Address Y;
>
> - Packet gets either ignored by all devices on the external
> subnet (if web
> server public IP is on that subnet) or dropped by some
> upstream-to-the-Internet router, having been shoved out of
> the external NIC.
>
> I haven't done any sniffing to verify the above, but I think
> that's how it
> would work (or, in your case, not work for your techs).
>
> -----Original Message-----
> From: Richard Marshall [mailto:[email protected]]
> Sent: Friday, June 14, 2002 8:56 AM
> To: [email protected]
> Subject: [FW-1] web server on secure lan
>
>
> Hi,
>
> I'm after some advice/confirmation.
>
> I have had to setup a test environment webserver on an
> internal lan with a
> NAT to a public IP. Public access now works without problem
> (thanks to some
> pointers from this list).
>
> However, the tech guys that have requested the test env.
> requested that they
> should be able to access the public natted ip themselves.
> i.e. out from the
> lan via a hide address and back into the lan via the nat
> address of the
> webserver. I was sceptical that it was possible (and am not
> sure why they
> feel it's necessary). Having spent the day trying every
> combination of nat
> rules, static routes, etc. that I can think of I have come to
> the conclusion
> it's not possible.
>
> Am I right in thinking this, or is it possible after all?
>
> I am running fw-4.1 sp3 on nokia (it's a distributed
> environment, but it is
> only the lan behind the firewall in question that can't
> access the public IP
> address.)
>
> thanks in advance
>
> rich
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
