Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] http_mapped problem

from FW-1 Emails [Permanent Link]
Subject: [FW-1] http_mapped problem
From: FW-1 Emails <fw1 AT TNCC DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 31 May 2005 15:47:38 -0700 
Problem:  Utilizing the http_mapped resource with a proxy system, Trend
IWSS.  

Goal:  To map outbound HTTP to go through Trend IWSS proxy on port 8080
rather than have to configure manual proxy settings on each workstation
or use proxy scripts.  

Description:  What I have found so far is that the mapping works if a
system on the internal network has an object defined in SmartCenter and
has some sort of NAT configuration specified on it.  The NAT
configuration can be hide or static, behind gateway or a specific
address.  The NAT configuration on the proxy does not matter it appears
but is defined using static NAT for functional reasons besides proxy.
If a general user system on the network that is behind a subnet with
Hide NAT tries to go out when the http_mapped rule is in effect it does
not work.  If I define a host in Smartcenter for a user system and
configure any sort of NAT rule it works and I get out.  Because I can
play with the NAT and get the mapped rule to work I want to believe that
there is something in CP that I can do to get this to function.  With
the FW monitor traffic below, the first section of traffic is coming
from the working STATIC NAT system.  The second section of traffic is
the network PC running under Hide NAT.  The 83.246.65.3 address is an
external web site, eicar.org.

Objects:

Mgmt:  NGAIR55 HFA13 on 2K
FW:  NGAIR55 HFA13 on SPLAT

FW:  10.0.0.1
Proxy:  10.0.0.3
Proxy NAT IP:  1.1.1.139
Functional NAT PC:  10.0.0.49
Functional NAT PC NAT IP:  1.1.1.164
Hide NAT PC:  10.0.0.115 or any 10.0.0.X IP not specified in SmartCenter
that has NAT controlled under Global Hide NAT rule)


Does Work:
Source  Destination             Service         Action
10.0.0.49       Any                     http_mapped             Permit
10.0.0.49       Any                     Any                     Permit


Doesn't Work (Global Hide Nat in Effect lower in the rule base):
Source  Destination             Service         Action
PC1             Any                     http_mapped             Permit
PC1             Any                     Any                     Permit


FW Monitor Traffic Log:  

Working NAT PC Traffic
eth0:i[48]: 10.0.0.49 -> 83.246.65.3 (TCP) len=48 id=53700 TCP: 1328 ->
80 .S.... seq=6e3e9c86 ack=00000000
eth0:I[48]: 10.0.0.49 -> 10.0.0.3 (TCP) len=48 id=44616 TCP: 1328 ->
8080 .S.... seq=6e3e9c86 ack=00000000
eth0:o[76]: 10.0.0.1 -> 10.0.0.49 (ICMP) len=76 id=10341 ICMP: type=5
code=1 redirect (host) 10.0.0.3 10.0.0.49 -> 10.0.0.3 (TCP: 1328 ->
8080) ipid=44616
eth0:O[76]: 83.246.65.3 -> 10.0.0.49 (ICMP) len=76 id=10341 ICMP: type=5
code=1 redirect (host) 10.0.0.3 10.0.0.49 -> 83.246.65.3 (TCP: 1328 ->
80) ipid=44616
eth0:o[48]: 10.0.0.49 -> 10.0.0.3 (TCP) len=48 id=44616 TCP: 1328 ->
8080 .S.... seq=6e3e9c86 ack=00000000
eth0:O[48]: 1.1.1.164 -> 10.0.0.3 (TCP) len=48 id=44616 TCP: 1328 ->
8080 .S.... seq=6e3e9c86 ack=00000000
eth0:i[48]: 10.0.0.3 -> 1.1.1.164 (TCP) len=48 id=19333 TCP: 8080 ->
1328 .S..A. seq=6e96bf9c ack=6e3e9c87
eth0:I[48]: 10.0.0.3 -> 10.0.0.49 (TCP) len=48 id=17954 TCP: 8080 ->
1328 .S..A. seq=6e96bf9c ack=6e3e9c87
eth0:o[76]: 10.0.0.1 -> 10.0.0.3 (ICMP) len=76 id=43373 ICMP: type=5
code=1 redirect (host) 10.0.0.49 10.0.0.3 -> 10.0.0.49 (TCP: 8080 ->
1328) ipid=17954
eth0:O[76]: 1.1.1.164 -> 10.0.0.3 (ICMP) len=76 id=43373 ICMP: type=5
code=1 redirect (host) 10.0.0.49 10.0.0.3 -> 1.1.1.164 (TCP: 8080 ->
1328) ipid=17954
eth0:o[48]: 10.0.0.3 -> 10.0.0.49 (TCP) len=48 id=17954 TCP: 8080 ->
1328 .S..A. seq=6e96bf9c ack=6e3e9c87
eth0:O[48]: 83.246.65.3 -> 10.0.0.49 (TCP) len=48 id=17954 TCP: 80 ->
1328 .S..A. seq=6e96bf9c ack=6e3e9c87
eth0:i[40]: 10.0.0.49 -> 83.246.65.3 (TCP) len=40 id=53702 TCP: 1328 ->
80 ....A. seq=6e3e9c87 ack=6e96bf9d
eth0:I[40]: 10.0.0.49 -> 10.0.0.3 (TCP) len=40 id=62567 TCP: 1328 ->
8080 ....A. seq=6e3e9c87 ack=6e96bf9d
eth0:o[40]: 10.0.0.49 -> 10.0.0.3 (TCP) len=40 id=62567 TCP: 1328 ->
8080 ....A. seq=6e3e9c87 ack=6e96bf9d
eth0:O[40]: 1.1.1.164 -> 10.0.0.3 (TCP) len=40 id=62567 TCP: 1328 ->
8080 ....A. seq=6e3e9c87 ack=6e96bf9d
eth0:i[386]: 10.0.0.49 -> 83.246.65.3 (TCP) len=386 id=53703 TCP: 1328
-> 80 ...PA. seq=6e3e9c87 ack=6e96bf9d
eth0:I[386]: 10.0.0.49 -> 10.0.0.3 (TCP) len=386 id=53805 TCP: 1328 ->
8080 ...PA. seq=6e3e9c87 ack=6e96bf9d
eth0:o[386]: 10.0.0.49 -> 10.0.0.3 (TCP) len=386 id=53805 TCP: 1328 ->
8080 ...PA. seq=6e3e9c87 ack=6e96bf9d
eth0:O[386]: 1.1.1.164 -> 10.0.0.3 (TCP) len=386 id=53805 TCP: 1328 ->
8080 ...PA. seq=6e3e9c87 ack=6e96bf9d


Not Work Hide NAT PC Traffic:
eth0:i[48]: 10.0.0.3 -> 83.246.65.3 (TCP) len=48 id=19334 TCP: 4290 ->
80 .S.... seq=c341601f ack=00000000
eth0:I[48]: 10.0.0.3 -> 83.246.65.3 (TCP) len=48 id=35879 TCP: 4290 ->
80 .S.... seq=c341601f ack=00000000
eth1:o[48]: 10.0.0.3 -> 83.246.65.3 (TCP) len=48 id=35879 TCP: 4290 ->
80 .S.... seq=c341601f ack=00000000
eth1:O[48]: 1.1.1.139 -> 83.246.65.3 (TCP) len=48 id=35879 TCP: 4290 ->
80 .S.... seq=c341601f ack=00000000
eth1:i[48]: 83.246.65.3 -> 1.1.1.139 (TCP) len=48 id=0 TCP: 80 -> 4290
.S..A. seq=715beef3 ack=c3416020
eth1:I[48]: 83.246.65.3 -> 10.0.0.3 (TCP) len=48 id=0 TCP: 80 -> 4290
.S..A. seq=715beef3 ack=c3416020
eth0:o[48]: 83.246.65.3 -> 10.0.0.3 (TCP) len=48 id=0 TCP: 80 -> 4290
.S..A. seq=715beef3 ack=c3416020
eth0:O[48]: 83.246.65.3 -> 10.0.0.3 (TCP) len=48 id=0 TCP: 80 -> 4290
.S..A. seq=715beef3 ack=c3416020
eth0:i[40]: 10.0.0.3 -> 83.246.65.3 (TCP) len=40 id=19335 TCP: 4290 ->
80 ....A. seq=c3416020 ack=715beef4
eth0:I[40]: 10.0.0.3 -> 83.246.65.3 (TCP) len=40 id=44418 TCP: 4290 ->
80 ....A. seq=c3416020 ack=715beef4
eth1:o[40]: 10.0.0.3 -> 83.246.65.3 (TCP) len=40 id=44418 TCP: 4290 ->
80 ....A. seq=c3416020 ack=715beef4
eth1:O[40]: 1.1.1.139 -> 83.246.65.3 (TCP) len=40 id=44418 TCP: 4290 ->
80 ....A. seq=c3416020 ack=715beef4
eth0:i[386]: 10.0.0.3 -> 83.246.65.3 (TCP) len=386 id=19336 TCP: 4290 ->
80 ...PA. seq=c3416020 ack=715beef4
eth0:I[386]: 10.0.0.3 -> 83.246.65.3 (TCP) len=386 id=39783 TCP: 4290 ->
80 ...PA. seq=c3416020 ack=715beef4
eth1:o[386]: 10.0.0.3 -> 83.246.65.3 (TCP) len=386 id=39783 TCP: 4290 ->
80 ...PA. seq=c3416020 ack=715beef4
eth1:O[386]: 1.1.1.139 -> 83.246.65.3 (TCP) len=386 id=39783 TCP: 4290
-> 80 ...PA. seq=c3416020 ack=715beef4

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [FW-1] http_mapped problem, FW-1 Emails <=
Previous by Date:  Re: [FW-1] Upgrade Standalone FP3 to R55W, Kim Longenbaugh
Next by Date:  [FW-1] Connection contains real IP of NATed address, David A Muscat
Previous by Thread:  [FW-1] SecurePlaform Installation, Chris McGill
Next by Thread:  [FW-1] Connection contains real IP of NATed address, David A Muscat
Indexes:  [Date] [Thread] [Top] [All Lists]