Thanks. I created a new node object for the external IP and put it in the
rule as the Destination and then created a manual NAT rule to handle the
translation. It's working as I expected. I was trying to keep from using a
manual NAT rule because they sometimes seem problematic. I've never had any
issues but I certainly have read about them, so I decided to try something
different. Didn't work. :-)
Take care,
Ray
From: Loge VK <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Question about Static NAT with two public IPs
Date: Thu, 15 Sep 2005 20:19:56 -0700
to secure it better, I would add a rule in the firewall for dropping any
incoming traffic to xxx.xxx IPs. This would take care of router getting
compromised at any point of time.... the solution u implemented was only
able to NAT the outgoing traffic, the incoming was still open....
-Loge VK
On 9/15/05, Ray <[EMAIL PROTECTED]> wrote:
>
> Thanks for the confirmation. In fact that is precisely what we're going
to
> do and why we're doing this. For whatever reason, I thought FW-1 would
> change the Internet-accessible IP address from xxx to yyy.
>
> Ray
>
>
> >From: cisco4ng <[EMAIL PROTECTED]>
> >To: [email protected]
> >CC: [EMAIL PROTECTED]
> >Subject: Re: [FW-1] Question about Static NAT with two public IPs
> >Date: Wed, 14 Sep 2005 18:03:00 -0700 (PDT)
> >
> >Ray,
> >The Firewall is just a routing device with CP software
> >on it. Therefore it is reasonable that you can access
> >both xxx.xxx.123.123 and yyy.yyy.123.123 because the
> >upstream device in front of the firewall (probably
> >router) has either static or dynamic routes to go to
> >the xxx.xxx.123.123 by pointing to the firewall.
> >
> >The easiest thing to do is to remove the route on the
> >upstream device so that it does not know how to get to
> >
> >xxx.xxx.123.123 and the only way to get to it is via
> >yyy.yyy.123.123. Without removing this route, no
> >amount of NAT can change this behavior.
> >
> >Cisco router behaves the same way.
> >
> >HTH
> >cisco4ng
> >
> >--- Ray <[EMAIL PROTECTED]> wrote:
> >
> > > Yes, this has been a thoroughly confusing week.
> > > Thanks for noticing. :-)
> > >
> > > I'm working with a company that uses public IPs on
> > > their internal network
> > > because it's fifteen years old. They have been
> > > allowing direct connections
> > > to each internal computer directly from the Internet
> > > (no NAT). We now have
> > > Hide NAT configured to at least obscure the internal
> > > IP space from the
> > > Internet.
> > >
> > > We're trying to set up Static NAT to do the same
> > > with their internal
> > > servers. The internal "public" IP is
> > >
> > > xxx.xxx.123.123
> > >
> > > and the "Static" address set on the server node
> > > object NAT tab is
> > >
> > > yyy.yyy.zzz.123
> > >
> > > Interestingly, BOTH IP addresses are now accessible
> > > from the Internet.
> > > There's only one node object with that
> > > xxx.xxx.123.123 internal IP address
> > > and it's only specified in one rule.
> > >
> > > Is this normal behavior for R55? I would have
> > > thought that adding the static
> > > NAT entry would have blocked the internal IP address
> > > from being accessible
> > > from the Internet, but it didn't.
> > >
> > > Thanks,
> > >
> > > Ray
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to [EMAIL PROTECTED]
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > [EMAIL PROTECTED]
> > > =================================================
> > >
> >
> >
> >
> >
> >__________________________________
> >Yahoo! Mail - PC Magazine Editors' Choice 2005
> >http://mail.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
