Re: Working with NAT on FW-1 on NT

["Erik Schetina" <eriks () interactivefutures com>]

I believe that Firewall-1 on NT has a file called local.arp that needs to be set up
with the translated IP address of your server (195.100.3.3) and the mac address of
the external NIC of the firewall.  This is what you tried to do with ARP -s but for
Firewall-1 on NT you do this with the local.arp file.  I think the format is IP
address <sp> MAC address.  When you do this the firewall will answer for the
195.100.3.3 server address without adding the route on your router.

Riccardo Fontana wrote:

> Does anyone know how to fix this FW-1 configuration ?
>
> I have a firewall-1 installed on an NT server (ver 4.0, SP3 and a bunch
> of hotfixes).
>
> Behind the firewall is a network with illegal addressing policy.
> I should export an internal server outside the firewall using NAT rules.
>
> Example:
>
> Route internal Addr.:           195.100.3.1 /27
> Firewall External Addr.:        195.100.3.2 /27
> Firewall Internal Addr.:        192.168.1.1 /24
>
> Server Real Addr.:              192.168.1.2 /24
> Server translated addr.:        195.100.3.3 /27
>
> To configure the firewall I follow the Firewall-1 Guide, so I create an
> object for the internal server with its real address and assign a Valid
> IP address to it by means of the "Add automatic Address Translation
> Rules" (option STATIC) (ADDRESS TRANSLATION menu).
> I am also defining a rule in order to let the right traffic pass through
> the firewall to reach the server:
>
> Source          Destination     Protocol        ACTION
> ANY             INTSERVER       SMTP            Accept
>
> Then, I add the following static route:
>
> route add 195.100.3.3 mask 255.255.255.255 192.168.1.2
>
> Finally, I add the following:
>
> ARP -s 195.100.3.3 <mac address> 195.100.3.2            (where mac address is the
> real MAC Address of my network adapter)
>
> Now, I expect that if the router connected to the firewall gets a packet
> with destination addr = 195.100.3.3, it will route it to the firewall
> and, obviously filtered to the internal host.
>
> The problem is that the traffic packets never reach the external
> interface of the firewall because the router cannot associate the
> translated address to the firewall. After trying a lot of different
> configurations, I found that the only way to made it work correctly is
> to add a static route on the router to make it point to the firewall:
>
> IP ROUTE 195.100.3.3 255.255.255.255 195.100.3.2
>
> (This option works also without adding any ARP entry on the NT machine)
>
> Firewalls GURUs is it a clean solution ? Any hints ?
>
> Thanks in advance
>
> --
> Riccardo Fontana
> Intesis SECURITY LAB            Phone: +39-2-671563.1
> Via Settembrini, 35             Fax: +39-2-66981953
> I-20124 Milano  ITALY           Email: rfontana () seclab com



--

********************************
*  Erik S. Schetina
*  Security Consulting Manager
*  IFsec, A Division of Interactive Futures, Inc.
*  (212)213-8570 voice
*  (212)213-8567 fax
********************************