|
Port Address
Translation 4.1 and NG
Port address translation with only 1 public IP (bound to the external
NIC)
Tested on Firewall-1 4.1 SP5a (IPSO) and NG FP2 (WIN2K)
You only have one public IP address which is bound to the external
interface of the firewall.
You NAT hide your internal network so users can connect to the internet.
You want to connect to servers on your DMZ using that single public IP
address.
As of 4.1 SP3 Firewall came with an additional feature, the
'service-mapped' service. Open up network objects you will find several
predefined mapped services, http-mapped, smtp-mapped and ftp-mapped. These
services have been pre-defined for convenience but this type of port
mapping will work for any TCP service. Notice that they are of the service
type 'other' and have a default match field set to
'SRV_REDIRECT(8080,192.168.1.5,80)'. This means listen on port 8080 and
then redirect to IP 192.168.1.5 on port 80. Here are the necessary rules.
(NOTE: Checkpoint advise that at least one address translation rule exists
however it does not need be a working rule (dummy rule).
| source |
destination |
service |
action |
| any |
firewall |
http-mapped |
accept |
| any |
web_server |
http |
accept |
To simply Port Address
Translate without address translating you can add a NAT rule as depicted
below.
|
original packet |
translated packet |
| source |
destination |
service |
source |
destination |
service |
| any |
web_server |
http-8080 |
any |
web_server |
http |
NOTE:
It was suggested that on NG the Firewall external IP address could be
translated to an internal address based on port using a NAT rule. I tested
this and found it not to be the case in a single public IP scenario. Here
is a copy of the notes I published to the FW-1 forum.
A question has been asked about port address
translation. a subscriber has answered this request for information by
posting a link to phoneboys website which has an faq which explains that
on ng you can use network address translation to translate the public ip
of the firewall port 80 to a private address on port 80. (the firewall in
this scenario has a single public ip).
i have tested this on two versions of ng on two platforms. i had no
success on either using the following nat rule.
(note: tested on ng fp1 ipso and ng fp2 wink2).
|
ORIGINAL PACKET |
TRANSLATED PACKET |
| any |
firewall |
http |
original |
web_server |
original |
I did however
have success using this 'single public ip bound to the firewall external
nic' scenario by using an 'http-mapped' rule as follows:
(note, this works on 4.1 sp5, ng fp1 ipso and ng fp2 win2k)
| any |
firewall |
http-mapped |
accept |
| any |
web_server |
http |
accept |
| any |
any |
any |
drop |
Note, the
'http-mapped' match is set to 'SRV_REDIRECT(80,<web_server_ip>,80)'
For these tests i had client side nat enabled and the rule base was any
accept.
I tested another scenario: 2 public ip's. one bound to the firewall
external nic, the other i added a proxy arp entry for it in voyager. i the
used network address translation rule to port translate and ip translate.
this was successful. (as one would expect) (tested on ng fp1 ipso).
|
ORIGINAL PACKET |
TRANSLATED PACKET |
| any |
proxy_arp_pub_ip |
http |
original |
web_server |
original |
| web_server |
any |
any |
proxy_arp_pub_ip |
original |
original |
Since
writing the above notes I found this technote that explains manaul NAT
rules do not client side NAT which would explain why it doesn't work. I
haven't tried this solution yet but I'm fairly sure its the fix.
| In
what order are NAT rules enforced in FireWall-1 NG FP2 |
Solution:
Automatic NAT rules are
applied before Manual NAT rules regardless of their order in the
Address Translation Rule Base. This is because Automatic NAT is
performed on the client side while Manual NAT is performed on the
server side.
There are two workarounds for this:
To force the Automatic NAT rules to translate on the server side:
1. Open the Policy Editor GUI.
2. Go to Policy, Global Properties, Network Address Translation.
3. Uncheck:
Perform Destination translation on the client side
To force the Manual NAT rules to translate on the client side:
1. Edit the objects_5_0.C file with dbedit.
2. Change the following to read:
nat_dst_client_side_manual (true) |
22/APR/02 Jim Parker
<
back
|