Applying NAT Rules in Firewall-1 To External Targets Only?

For a Checkpoint Firewall-1 implementation with one external segment and 12
internal segments, is there any way to write the NAT rules so that when an
internal DMZ host sends packets to the external interface then NAT is
applied, but packets sent to other hosts in other internal DMZ segments is
not rewritten by NAT? Is the idea to first write an NAT rule that says:

From To use defaults

immediately followed by:

From To All use external NAT IP for internal host

--
Will

Re: Applying NAT Rules in Firewall-1 To External Targets Only?

On Wed, 30 Aug 2006 22:35:25 -0700, "Will"
wrote:

>For a Checkpoint Firewall-1 implementation with one external segment and 12
>internal segments, is there any way to write the NAT rules so that when an
>internal DMZ host sends packets to the external interface then NAT is
>applied, but packets sent to other hosts in other internal DMZ segments is
>not rewritten by NAT?

Yes. Turn off automatic NAT for a start.

>Is the idea to first write an NAT rule that says:
>
> From To use defaults
>
>immediately followed by:
>
> From To All use external NAT IP for internal host

The NAT tab in SmartCrashboard operates on a 1st match basis.

So the above method will work. Put the internal/dmz nets into groups to
allow them to be aggregated into a single nat rule.


The 1st nat rule would would be something like

dmz-nets dmz-nets any original original any




greg

--
Müde lieg ich lieg in der Scheisse,
und niemand weiss, wie ich heisse.
Es gibt nur einen, der mich kennt,
und mich bei meinem Namen nennt.

Re: Applying NAT Rules in Firewall-1 To External Targets Only?

"Greg Hennessy" wrote in message
news:929df21l4o11ju0539ltsq0b5bo6pgp1m0@4ax.com...
> The 1st nat rule would would be something like
>
> dmz-nets dmz-nets any original original any

That's a useful shortcut, thanks!

How do you write the NAT rule in order to have Firewall-1's anti-spoofing
features not complain about the packet when it arrives on a DMZ interface?
As soon as I turn on anti-spoofing on the DMZ interface, I see packets that
comply with the ruleset succeed in the log and pass through the firewall to
the DMZ interface. But then there is a second duplicated message in the
log with a reject that complains the packet violates the anti-spoofing
policy.

Firewall-1 seems to be unable to figure out that the external source IP on a
packet that is received *through* the Firewall did not actually *originate*
on the DMZ interface. Firewall-1 seems to have tricked itself into
believing that legitimate packets that comply with the ruleset are actually
hackers on the DMZ trying to originate messages with invalid source IPs.
I'm baffled at this point at how to circumvent that very strange behavior,
short of using NAT to alter the source IP itself, which would be an enormous
hack, and not secure.

--
Will

Re: Applying NAT Rules in Firewall-1 To External Targets Only?

On Thu, 31 Aug 2006 15:21:09 -0700, "Will"
wrote:

>"Greg Hennessy" wrote in message
>news:929df21l4o11ju0539ltsq0b5bo6pgp1m0@4ax.com...
>> The 1st nat rule would would be something like
>>
>> dmz-nets dmz-nets any original original any
>
>That's a useful shortcut, thanks!
>
>How do you write the NAT rule in order to have Firewall-1's anti-spoofing
>features not complain about the packet when it arrives on a DMZ interface?

As long as you have client side NAT ticked in the global properties and
anti spoofing properly configured in the gateway's topology it will figure
it out.


>As soon as I turn on anti-spoofing on the DMZ interface, I see packets that
>comply with the ruleset succeed in the log and pass through the firewall to
>the DMZ interface. But then there is a second duplicated message in the
>log with a reject that complains the packet violates the anti-spoofing
>policy.


Sounds like you dont have it properly configured on every interface.


Getting the topology right is essential.


Recommend taking a trawl through the fw1 wizards mailing lists archive and
the forums on www.cpug.org for other useful information regarding starting
out with fw1.




greg
--
Müde lieg ich lieg in der Scheisse,
und niemand weiss, wie ich heisse.
Es gibt nur einen, der mich kennt,
und mich bei meinem Namen nennt.

Re: Applying NAT Rules in Firewall-1 To External Targets Only?

"Greg Hennessy" wrote in message
news:n8off2pr31uk1fgvhuoea8rcapbjaaesli@4ax.com...
> >As soon as I turn on anti-spoofing on the DMZ interface, I see packets
that
> >comply with the ruleset succeed in the log and pass through the firewall
to
> >the DMZ interface. But then there is a second duplicated message in the
> >log with a reject that complains the packet violates the anti-spoofing
> >policy.
>
> Sounds like you dont have it properly configured on every interface.
>
> Getting the topology right is essential.

Our network is this simple:

External interface is configured with anti-spoofing set to "Others"
Three DMZ interfaces are each configured with anti-spoofing set to "This
Network"

That exactly matches the topology suggested by the Firewall-1 online
documentation as well. Did we do something wrong? When we configure it
this way, we get anti spoofing log messages when the packets get to the DMZ
interface.

Someone else mentioned to me that Firewall-1 is routing the packet to the
DMZ interface and only then performing NAT. Is that right? In that case
don't you need to configure the DMZ interfaces to work with both the before
NAT and after NAT versions of the IP expected at each DMZ?

--
Will