[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] web server on secure lan
If you want to route back into the same interface you came out of you can't do it. You can route from a hide Nat'ed LAN to a legal IP which is statically routed to in internal host in a separate DMZ on a difference interface. Hal > -----Original Message----- > From: Russell Washington [mailto:[email protected]] > Sent: Friday, June 14, 2002 12:16 PM > To: [email protected] > Subject: Re: [FW-1] web server on secure lan > > > I don't think it's possible. Presume a ping, for example. > You should (I > think) get the following sequence of events. > > - Ping from: Internal Address X to Public Address Z; > > - Inbound (to FW) packet passes security policy, gets sent to > OS for routing > decision; > > - Routing tables say "packet is bound for address on external > interface > (whether part of subnet or not), send it to that NIC and out the door; > > - Outbound (from FW) packet passes security policy; > > - NAT is performed on destination address, so now ping looks > like Internal > Address X to Internal Address Y; > > - Packet gets shoved out of external interface with > destination of Internal > Address Y; > > - Packet gets either ignored by all devices on the external > subnet (if web > server public IP is on that subnet) or dropped by some > upstream-to-the-Internet router, having been shoved out of > the external NIC. > > I haven't done any sniffing to verify the above, but I think > that's how it > would work (or, in your case, not work for your techs). > > -----Original Message----- > From: Richard Marshall [mailto:[email protected]] > Sent: Friday, June 14, 2002 8:56 AM > To: [email protected] > Subject: [FW-1] web server on secure lan > > > Hi, > > I'm after some advice/confirmation. > > I have had to setup a test environment webserver on an > internal lan with a > NAT to a public IP. Public access now works without problem > (thanks to some > pointers from this list). > > However, the tech guys that have requested the test env. > requested that they > should be able to access the public natted ip themselves. > i.e. out from the > lan via a hide address and back into the lan via the nat > address of the > webserver. I was sceptical that it was possible (and am not > sure why they > feel it's necessary). Having spent the day trying every > combination of nat > rules, static routes, etc. that I can think of I have come to > the conclusion > it's not possible. > > Am I right in thinking this, or is it possible after all? > > I am running fw-4.1 sp3 on nokia (it's a distributed > environment, but it is > only the lan behind the firewall in question that can't > access the public IP > address.) > > thanks in advance > > rich > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|