From To use defaults
immediately followed by:
From To All use external NAT IP for internal host
- posted
17 years ago
Applying NAT Rules in Firewall-1 To External Targets Only?
Loading thread data ...
- Vote on answer
- posted
17 years ago
That's a useful shortcut, thanks!
How do you write the NAT rule in order to have Firewall-1's anti-spoofing features not complain about the packet when it arrives on a DMZ interface? As soon as I turn on anti-spoofing on the DMZ interface, I see packets that comply with the ruleset succeed in the log and pass through the firewall to the DMZ interface. But then there is a second duplicated message in the log with a reject that complains the packet violates the anti-spoofing policy.
Firewall-1 seems to be unable to figure out that the external source IP on a packet that is received *through* the Firewall did not actually *originate* on the DMZ interface. Firewall-1 seems to have tricked itself into believing that legitimate packets that comply with the ruleset are actually hackers on the DMZ trying to originate messages with invalid source IPs. I'm baffled at this point at how to circumvent that very strange behavior, short of using NAT to alter the source IP itself, which would be an enormous hack, and not secure.
- Vote on answer
- posted
17 years ago
As long as you have client side NAT ticked in the global properties and anti spoofing properly configured in the gateway's topology it will figure it out.
Sounds like you dont have it properly configured on every interface.
Getting the topology right is essential.
Recommend taking a trawl through the fw1 wizards mailing lists archive and the forums on
formatting link
for other useful information regarding starting out with fw1.
greg
- Vote on answer
- posted
17 years ago
Our network is this simple:
External interface is configured with anti-spoofing set to "Others" Three DMZ interfaces are each configured with anti-spoofing set to "This Network"
That exactly matches the topology suggested by the Firewall-1 online documentation as well. Did we do something wrong? When we configure it this way, we get anti spoofing log messages when the packets get to the DMZ interface.
Someone else mentioned to me that Firewall-1 is routing the packet to the DMZ interface and only then performing NAT. Is that right? In that case don't you need to configure the DMZ interfaces to work with both the before NAT and after NAT versions of the IP expected at each DMZ?