Great Circle Associates Firewalls
(July 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: [FW1] FW-1 DESTINATION IP Address Translation
From: Jerald Josephs <Jerald . Josephs @ Ebay . Sun . COM>
Date: Tue, 8 Jul 1997 19:42:43 -0700 (PDT)
To: fw-1-mailinglist @ us . checkpoint . com, firewalls @ greatcircle . com, martinw @ epcorp . com
Reply-to: Jerald Josephs <Jerald . Josephs @ Ebay . Sun . COM> 
jj ->X-Sender: martinw @
 mail .
 epcorp .
 com
jj ->Date: Mon, 07 Jul 1997 10:32:46 -0400
jj ->To: fw-1-mailinglist @
 us .
 checkpoint .
 com, firewalls @
 greatcircle .
 com
jj ->From: "Martin C. Walker" <martinw @
 epcorp .
 com>
jj ->Subject: [FW1] FW-1 DESTINATION IP Address Translation
jj ->Mime-Version: 1.0
jj ->
jj ->Can anyone provide me with details on how translate the
jj ->DESTINATION IP address in a forward moving packet outbound
jj ->from the firewall to the internet ?
jj ->
jj ->normal NAT translates only the SOURCE IP address.
jj ->
jj ->Ideally I'd like to translate only the destination address and
jj ->leave the source as an illegal 10.* address.  If this is not doable
jj ->I'd need to translate both addresses.
jj ->
jj ->I have Sun's version of FW-1 2.1c on Solaris 2.5.1x86.
jj ->
jj ->I will be going to 3.0a soon, so if it's different or not do-able
jj ->on 3.* products I'd like to know that too.
jj ->
jj ->TIA for the help

It is really quite simple.

I am struggling, however, to imagine a scenario where I want FireWall-1 to
address translation to route packets for me.

Define an FWXT_DST_STATIC rule for the range of internal IP addresses that you
wish to modify with the translation address one of the valid, external IP
addresses.

For example, if your internal network is 10.0.0.0 and your external network
is 192.168.1.0, you might translate with

+---+---------------+---------------+-----------------+---------------+
|No.| From Original | To Original   | Method          | 1st Translated|
|   | Address (Port)| Address (Port)|                 | Address (Port)|
+---+---------------+---------------+-----------------+---------------+
| 0 |10.0.0.0       |10.0.0.254     |FWXT_DST_STATIC  |192.168.1.2    |
+---+---------------+---------------+-----------------+---------------+

Now, the next problem you face is Valid Addresses. Will FireWall-1 block
this packet?

According to the standard practice of defining Others as the Valid Addresses
for the external interface, FireWall-1 will block any packet exiting the  
external interface if the source IP address is not from one of the intranets, 
i.e. someone in your enterprise is trying to spoof the Internet.

In your case, there is no need to modify the Valid Addresses on either
interface of the gateway.


    /\  Jerald E. Josephs
   \\ \  Course Developer - Network Security
  \ \\ /  Sun Educational Services
 / \/ / / 
/ /   \//\ 
\//\   / / 
 / / /\ /
  / \\ \  Phone/VM: 408-276-0941
   \ \\  FAX: 408-276-1565
    \/  E-mail: jerald .
 josephs @
 EBay .
 Sun .
 COM
Indexed By Date Previous: Interceptor of Technology Inc.
From: "Randy B. Lymn" <rblim @ aht . com>
Next: packet sequence oddities from AOL's nets
From: Joseph Judge <joej @ joesmac . ultranet . com>
Indexed By Thread Previous: Interceptor of Technology Inc.
From: "Randy B. Lymn" <rblim @ aht . com>
Next: RE: [FW1] FW-1 DESTINATION IP Address Translation
From: "Adams, Gavin" <gadams @ ccscns . com>
Google
 
Search Internet Search www.greatcircle.com