Re: [FW-1] Problem with NAT and Anti-spoofing

[Michel Lapointe [Permanent Link]]

For performance reason... our connection with our partner is expensive
and limited, and some connectivity are possible through the internet...

ML

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
kwelsh AT WESTPAC.COM DOT AU
Sent: Sunday, September 12, 2004 10:49 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Problem with NAT and Anti-spoofing

Michel,

Why are you trying to route part of the connectivity to your "Partner
Network" via your Internet connection?

Regards,

Ken...


Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM> wrote on 11/09/2004
00:58:13:

> Hello,
>
>
>
>             I have a weird problem which force me to disable
> anti-spoofing on the external interface and I would like to know if
> anybody know why this happen and if there is a way to fix it...
>
>
>
>             The current setup is the following.
>
>             Eth 0 -> Lead to the internet
>
>             Eth 1 -> Lead to internal network
>
>             Eth 2 -> Lead to partner network
>
>
>
>             The only Natting that occur is when a packet need to be
> routed out of Eth0 (Internet)
>
>
>
>             Topology is
>
>             Eth 0 -> External
>
>             Eth 1 -> This Network
>
>             Eth 2 -> Partner Network
>
>
>
>             Partner Network:
>
>             2.3.4.0/24
>
>             3.4.5.0/24
>
>             ...
>
>
>
>             Routing on the FW is:
>
> 0.0.0.0/0           -> Internet
>
> 2.3.4.0/24          -> Eth2
>
> 3.4.5.0/24          -> Eth2
>
> 2.3.4.50/32        -> Internet
>
>
>
> Routing wise everything work fine.
>
>
>
> NAT Rule
>
>
>
> Eth1                 2.3.4.50/32        Eth0.2 (Hide)     DESTINATION
>
> Eth1/Eth2          ANY                 SOURCE          DESTINATION
>
> Eth1/Eth2          ANY                 Eth0.1 (Hide)     DESITNATION
>
>
>
> If from the Internal Network (Eth1) I send a packet
>
> Eth1     ->         Inet Address except Partner Network       -> Got
> NATTED             -> Work Fine
>
> Eth1     ->         Partner Network
> -> No NAT                     -> Work Fine
>
> Eth1     ->         2.3.4.50
> -> Got NATTED             -> Doesn't Work, the Eth0 interface
complaint
> that it get spoofed by the NAT address which is on the same network as
> the Eth0 interface
>
>
>
> If I remove the anti-spoofing on Eth0, everything work fine...
>
>
>
> So does anyone know why when trying to route a subset of a subnet
> through a different interface the NATTING won't work
>
>
>
> Also if I disable Anti-Spoofing except on the Eth0 , or/and set all
> network to External, it will have the same problem.
>
>
>
> If you have any idea suggestion it will be appreciated.
>
>
>
> Thank
>
>
>
> Michel Lapointe
>

<snip>


WARNING - This email and any attachments may be confidential. If
received in error, please delete and inform us by return email. Because
emails and attachments may be interfered with, may contain computer
viruses or other defects and may not be successfully replicated on other
systems, you must be cautious. Westpac cannot guarantee that what you
receive is what we sent. If you have any doubts about the authenticity
of an email by Westpac, please contact us immediately.

It is also important to check for viruses and defects before opening or
using attachments. Westpac's liability is limited to resupplying any
affected attachments.

This email and its attachments are not intended to constitute any form
of financial advice or recommendation of, or an offer to buy or offer to
sell, any security. We recommend that you seek your own independent
legal or financial advice before proceeding with any investment
decision.

Westpac is a company registered in New South Wales in Australia under
the Corporations Act 2001 (Cth). Westpac is regulated in the United
Kingdom by the Financial Services Authority and is registered at Cardiff
in the United Kingdom as Branch No. BR 106. Westpac operates in United
States of America as a federally chartered branch, regulated by the
Office of the Comptroller of the Currency.

Westpac Institutional Bank is a division of Westpac Banking Corporation
ABN is 33 007 457 141.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================