1. Home
  2. Networking Firewalls
  3. Netscreen NAT problem

Netscreen NAT problem

hello,

I'm having a problem in replacing a Checkpoint firewall with a Netscreen. The diagram is as follows:

ISP (real ip 202.44.55.143) Router (10.0.0.5) (10.0.0.4) Firewall (192.168.1.1) Client (192.168.1.x)

Before the replacement, the firewall can perform the NAT so that the source IP from the client shall be in the real IP like 202.44.55.143 (using the Hide IP of the Checkpoint NAT option), and then it's being able to route outside.

After the replacement using Netscreen, it does the NAT using the IP address of the untrust interface 10.0.0.4, and hence, unroutable.

For the Netscreen, is there any kind of forcing the NAT to use the source IP of NAT-ed packets as using the 202.44.55.143? I've checked out the Netscreen documents that having a feature of DIP (or MIP whatsoever), but those DIP/MIP only allow me to set another IP that still within the subnet of the untrusted interface (so set to 10.0.0.8 is OK, 202.44.55.143 is not allowed)

The router is from the ISP and looks it's not NAT-ed, evidenced that by putting a notebook PC replacing the firewall like this, the PC is unable to connect outside.

ISP (real ip 202.44.55.xx) Router (10.0.0.5) (10.0.0.4) Notebook PC

There is another obvious solution that we scrap the ISP's router, and let the new Netscreen does the PPPoE, but there may be some political issue that I could't do it.

Thanks for any help!

Reply to
idoltman
Loading thread data ...

You're connecting two private networks, so there's no need to do double NAT. Do NAT on the router, and simply route on the firewall.

Umm... something is not right here. If the setup you initially described has worked before the router *must* have done NAT, otherwise you wouldn't have been able to use private IP addresses for the connection between router and firewall. Check the router's configuration. And don't do double NAT.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers
[..]

So I understand...the external interface of the firewall is 10.0.0.4 but you want the egress IPs to be 202.x ?

Typically the ISP gives you a routable range and this is what the firewall router uses. Then you NAT to the egress on the firewall (same as Checkpoint (ugh!) hide NAT). The external router has another, different range for the physical layer.

So why are you using 10.x ? This make things difficult.

You could probably solve this by doing policy based NAT on all outbound backets. So from Trust to Untrust.. Policies > (trust to untrust) > Edit > Advanced > Destination Translation - and fill in the blanks.

formatting link
Grab the NAT volume.

alan

Reply to
Alan Strassberg

yeah, this isn't right. the router shouldn't be on the private network unless IT is doing the NAT. and if the trusted interface on it is a private IP like you show, it would have to be doing the NAT. and if it is, then the netscreen shouldn't be doing any NAT. have one or the other do the inbound and outbound NAT, not both.

-Tony

Reply to
Anthony J. Biacco

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.