Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] NAT / Spoofing question

from Martín Alcalá Rubí [Permanent Link]
Subject: Re: [FW-1] NAT / Spoofing question
From: Martín Alcalá Rubí <malcala AT SADVISOR DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 28 Dec 2004 15:57:58 -0200 
Hi,

   Try no-NAT rules Between the computers of your internal networks.

Regards

Martín Alcalá Rubí - Ingeniería de Clientes
Security Advisor
www.sadvisor.com



Shane Presley wrote:


Hello,

I have a solaris firewall running NG AI.

Four interfaces:

qfe0 - 199.199.1.1  (faces internet)
qfe1 - 10.10.201.1  (public DMZ)
qfe2 - 10.10.202.1  (apps DMZ)
qfe3 - 10.10.203.1  (faces internal network)

Now we have a NAT pool of 199.199.2.0/24.  So all of our servers in
the public DMZ have static NATs that map between 10.10.201.x and
199.199.2.x.

When external users talk to our public servers they use 199.199.2.x.
When internal users talk to those same servers they MOSTLY use
10.49.201.x.

Spoofing is setup...
qfe0 - external
qfe1 - specific 10.10.201.0/24 and 199.199.2.0/24
qfe2 - thisnet
qfe3 - specific (all the internal networks are listed)

When a server in the apps segment tries to talk to 10.10.201.x it's
fine.  But if a server in the apps segment tries to talk to
199.199.2.x it fails, Address Spoofing.

How should I setup spoofing so that I can reach 199.199.2.x from any segment?

Thanks,
Shane

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================






=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] Fwd: [FW-1] isp ip change fw1 4.1 sp6 howto, damien s
Next by Date:  [FW-1] Automatic reply, Michel Boudat
Previous by Thread:  [FW-1] NAT / Spoofing question, Shane Presley
Next by Thread:  [FW-1] Office Mode problem with SecureClient R56 HFA02?, Ray
Indexes:  [Date] [Thread] [Top] [All Lists]