From To use defaults
immediately followed by:
From To All use external NAT IP for internal host
From To use defaults
immediately followed by:
From To All use external NAT IP for internal host
That's a useful shortcut, thanks!
How do you write the NAT rule in order to have Firewall-1's anti-spoofing features not complain about the packet when it arrives on a DMZ interface? As soon as I turn on anti-spoofing on the DMZ interface, I see packets that comply with the ruleset succeed in the log and pass through the firewall to the DMZ interface. But then there is a second duplicated message in the log with a reject that complains the packet violates the anti-spoofing policy.
Firewall-1 seems to be unable to figure out that the external source IP on a packet that is received *through* the Firewall did not actually *originate* on the DMZ interface. Firewall-1 seems to have tricked itself into believing that legitimate packets that comply with the ruleset are actually hackers on the DMZ trying to originate messages with invalid source IPs. I'm baffled at this point at how to circumvent that very strange behavior, short of using NAT to alter the source IP itself, which would be an enormous hack, and not secure.
As long as you have client side NAT ticked in the global properties and anti spoofing properly configured in the gateway's topology it will figure it out.
Sounds like you dont have it properly configured on every interface.
Getting the topology right is essential.
Recommend taking a trawl through the fw1 wizards mailing lists archive and the forums on
greg
Our network is this simple:
External interface is configured with anti-spoofing set to "Others" Three DMZ interfaces are each configured with anti-spoofing set to "This Network"
That exactly matches the topology suggested by the Firewall-1 online documentation as well. Did we do something wrong? When we configure it this way, we get anti spoofing log messages when the packets get to the DMZ interface.
Someone else mentioned to me that Firewall-1 is routing the packet to the DMZ interface and only then performing NAT. Is that right? In that case don't you need to configure the DMZ interfaces to work with both the before NAT and after NAT versions of the IP expected at each DMZ?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.