Firewall Wizards mailing list archives
Re: Sunscreen EFS 3.1 stealth mode and NAT
From: Roy Culley <tgdcuro1 () gd2 swissptt ch>
Date: Wed, 21 May 2003 11:22:35 +0200
Hi Valerie, Thanks for your replies.
That part of your configuration seems fine. Have you set your STEALTH_NET on your screen object? That is required whenever you are doing anything in stealth mode that requires rewriting of the IP headers (such as NAT or tunnelling).
Perhaps an ascii network drawing will help: ----------------- | external router | ----------------- | Public subnet ----------------- | sunscreen | ----------------- | Public subnet ----------------- | internal router | ----------------- | Private subnet ----------------- | router | ----------------- | Private subnet ----------------- | DNS server | ----------------- As you can see the DNS server is more than one hop away from the sunscreen subnet. From what I can see the sunscreen is in fact doing the right thing. It is forwarding the arp broadcast from the external router having modified the DNS server IP address in the arp request packet. The internal router doesn't know about the DNS server IP address so ignores the arp packet. The internal router is not a simple cisco box. It is a combined load balancer, switch and router. Apparently that box cannot do proxy arp. The network guys are going to install a 'normal' router in front of it. As this can also do NAT the NAT function will not be required on the sunscreen. Hope that is clear. :-) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Sunscreen EFS 3.1 stealth mode and NAT Roy Culley (May 20)
- <Possible follow-ups>
- Re: Sunscreen EFS 3.1 stealth mode and NAT Roy Culley (May 20)
- Re: Sunscreen EFS 3.1 stealth mode and NAT Roy Culley (May 22)
- Re: Sunscreen EFS 3.1 stealth mode and NAT Valerie Anne Bubb (May 22)