Firewall Wizards mailing list archives
Re: Working with NAT on FW-1 on NT
From: "Erik Schetina" <eriks () interactivefutures com>
Date: Mon, 07 Dec 1998 16:26:29 -0500
I believe that Firewall-1 on NT has a file called local.arp that needs to be set up with the translated IP address of your server (195.100.3.3) and the mac address of the external NIC of the firewall. This is what you tried to do with ARP -s but for Firewall-1 on NT you do this with the local.arp file. I think the format is IP address <sp> MAC address. When you do this the firewall will answer for the 195.100.3.3 server address without adding the route on your router. Riccardo Fontana wrote:
Does anyone know how to fix this FW-1 configuration ? I have a firewall-1 installed on an NT server (ver 4.0, SP3 and a bunch of hotfixes). Behind the firewall is a network with illegal addressing policy. I should export an internal server outside the firewall using NAT rules. Example: Route internal Addr.: 195.100.3.1 /27 Firewall External Addr.: 195.100.3.2 /27 Firewall Internal Addr.: 192.168.1.1 /24 Server Real Addr.: 192.168.1.2 /24 Server translated addr.: 195.100.3.3 /27 To configure the firewall I follow the Firewall-1 Guide, so I create an object for the internal server with its real address and assign a Valid IP address to it by means of the "Add automatic Address Translation Rules" (option STATIC) (ADDRESS TRANSLATION menu). I am also defining a rule in order to let the right traffic pass through the firewall to reach the server: Source Destination Protocol ACTION ANY INTSERVER SMTP Accept Then, I add the following static route: route add 195.100.3.3 mask 255.255.255.255 192.168.1.2 Finally, I add the following: ARP -s 195.100.3.3 <mac address> 195.100.3.2 (where mac address is the real MAC Address of my network adapter) Now, I expect that if the router connected to the firewall gets a packet with destination addr = 195.100.3.3, it will route it to the firewall and, obviously filtered to the internal host. The problem is that the traffic packets never reach the external interface of the firewall because the router cannot associate the translated address to the firewall. After trying a lot of different configurations, I found that the only way to made it work correctly is to add a static route on the router to make it point to the firewall: IP ROUTE 195.100.3.3 255.255.255.255 195.100.3.2 (This option works also without adding any ARP entry on the NT machine) Firewalls GURUs is it a clean solution ? Any hints ? Thanks in advance -- Riccardo Fontana Intesis SECURITY LAB Phone: +39-2-671563.1 Via Settembrini, 35 Fax: +39-2-66981953 I-20124 Milano ITALY Email: rfontana () seclab com
-- ******************************** * Erik S. Schetina * Security Consulting Manager * IFsec, A Division of Interactive Futures, Inc. * (212)213-8570 voice * (212)213-8567 fax ********************************
Current thread:
- Working with NAT on FW-1 on NT Riccardo Fontana (Dec 01)
- Re: Working with NAT on FW-1 on NT Ng Lup Houh (Dec 03)
- Re: Working with NAT on FW-1 on NT Erik Schetina (Dec 08)
- RE: Working with NAT on FW-1 on NT Joe Ippolito (Dec 09)
- <Possible follow-ups>
- RE: Working with NAT on FW-1 on NT Martijn Berlage (Dec 02)