Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] Problem with NAT and Anti-spoofing

from Michel Lapointe [Permanent Link]
Subject: [FW-1] Problem with NAT and Anti-spoofing
From: Michel Lapointe <MLapointe AT HEWITT DOT CA>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Fri, 10 Sep 2004 10:58:13 -0400 
Hello,

 

            I have a weird problem which force me to disable
anti-spoofing on the external interface and I would like to know if
anybody know why this happen and if there is a way to fix it...

 

            The current setup is the following.

            Eth 0 -> Lead to the internet

            Eth 1 -> Lead to internal network

            Eth 2 -> Lead to partner network

 

            The only Natting that occur is when a packet need to be
routed out of Eth0 (Internet)

 

            Topology is

            Eth 0 -> External

            Eth 1 -> This Network

            Eth 2 -> Partner Network

 

            Partner Network:

            2.3.4.0/24

            3.4.5.0/24

            ...

 

            Routing on the FW is:

0.0.0.0/0           -> Internet

2.3.4.0/24          -> Eth2

3.4.5.0/24          -> Eth2

2.3.4.50/32        -> Internet

 

Routing wise everything work fine.

 

NAT Rule

 

Eth1                 2.3.4.50/32        Eth0.2 (Hide)     DESTINATION

Eth1/Eth2          ANY                 SOURCE          DESTINATION

Eth1/Eth2          ANY                 Eth0.1 (Hide)     DESITNATION

 

If from the Internal Network (Eth1) I send a packet

Eth1     ->         Inet Address except Partner Network       -> Got
NATTED             -> Work Fine

Eth1     ->         Partner Network
-> No NAT                     -> Work Fine

Eth1     ->         2.3.4.50
-> Got NATTED             -> Doesn't Work, the Eth0 interface complaint
that it get spoofed by the NAT address which is on the same network as
the Eth0 interface

 

If I remove the anti-spoofing on Eth0, everything work fine...

 

So does anyone know why when trying to route a subset of a subnet
through a different interface the NATTING won't work

 

Also if I disable Anti-Spoofing except on the Eth0 , or/and set all
network to External, it will have the same problem.

 

If you have any idea suggestion it will be appreciated.

 

Thank

 

Michel Lapointe

 

            


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Overview of Checkpoint products ?, David Strom
Next by Date:  [FW-1] certification guide for CCSE+, Gildas Coutansais
Previous by Thread:  [FW-1] UNSUBSCRIBE fw-1-mailinglist, Mark van den Berg
Next by Thread:  Re: [FW-1] Problem with NAT and Anti-spoofing, kwelsh
Indexes:  [Date] [Thread] [Top] [All Lists]