Netscreen NAT problem

hello,

I'm having a problem in replacing a Checkpoint firewall with a
Netscreen. The diagram is as follows:

ISP <--> (real ip 202.44.55.143) Router (10.0.0.5) <--> (10.0.0.4)
Firewall (192.168.1.1) <-----> Client (192.168.1.x)

Before the replacement, the firewall can perform the NAT so that the
source IP from the client shall be in the real IP like 202.44.55.143
(using the Hide IP of the Checkpoint NAT option), and then it's being
able to route outside.

After the replacement using Netscreen, it does the NAT using the IP
address of the untrust interface 10.0.0.4, and hence, unroutable.

For the Netscreen, is there any kind of forcing the NAT to use the
source IP of NAT-ed packets as using the 202.44.55.143? I've checked
out the Netscreen documents that having a feature of DIP (or MIP
whatsoever), but those DIP/MIP only allow me to set another IP that
still within the subnet of the untrusted interface (so set to 10.0.0.8
is OK, 202.44.55.143 is not allowed)

The router is from the ISP and looks it's not NAT-ed, evidenced that
by putting a notebook PC replacing the firewall like this, the PC is
unable to connect outside.

ISP <--> (real ip 202.44.55.xx) Router (10.0.0.5) <--> (10.0.0.4)
Notebook PC

There is another obvious solution that we scrap the ISP's router, and
let the new Netscreen does the PPPoE, but there may be some political
issue that I could't do it.

Thanks for any help!

Re: Netscreen NAT problem

idoltman wrote:
> I'm having a problem in replacing a Checkpoint firewall with a
> Netscreen. The diagram is as follows:
>
> ISP <--> (real ip 202.44.55.143) Router (10.0.0.5) <--> (10.0.0.4)
> Firewall (192.168.1.1) <-----> Client (192.168.1.x)
>
> Before the replacement, the firewall can perform the NAT so that the
> source IP from the client shall be in the real IP like 202.44.55.143
> (using the Hide IP of the Checkpoint NAT option), and then it's being
> able to route outside.

You're connecting two private networks, so there's no need to do double
NAT. Do NAT on the router, and simply route on the firewall.

> After the replacement using Netscreen, it does the NAT using the IP
> address of the untrust interface 10.0.0.4, and hence, unroutable.
>
> For the Netscreen, is there any kind of forcing the NAT to use the
> source IP of NAT-ed packets as using the 202.44.55.143? I've checked
> out the Netscreen documents that having a feature of DIP (or MIP
> whatsoever), but those DIP/MIP only allow me to set another IP that
> still within the subnet of the untrusted interface (so set to 10.0.0.8
> is OK, 202.44.55.143 is not allowed)
>
> The router is from the ISP and looks it's not NAT-ed, evidenced that
> by putting a notebook PC replacing the firewall like this, the PC is
> unable to connect outside.
>
> ISP <--> (real ip 202.44.55.xx) Router (10.0.0.5) <--> (10.0.0.4)
> Notebook PC

Umm... something is not right here. If the setup you initially described
has worked before the router *must* have done NAT, otherwise you
wouldn't have been able to use private IP addresses for the connection
between router and firewall. Check the router's configuration. And don't
do double NAT.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Netscreen NAT problem

[..]
>
>I'm having a problem in replacing a Checkpoint firewall with a
>Netscreen. The diagram is as follows:
>
> ISP <--> (real ip 202.44.55.143) Router (10.0.0.5) <--> (10.0.0.4)
>Firewall (192.168.1.1) <-----> Client (192.168.1.x)
>
>Before the replacement, the firewall can perform the NAT so that the
>source IP from the client shall be in the real IP like 202.44.55.143
>(using the Hide IP of the Checkpoint NAT option), and then it's being
>able to route outside.
>
>After the replacement using Netscreen, it does the NAT using the IP
>address of the untrust interface 10.0.0.4, and hence, unroutable.
>
>For the Netscreen, is there any kind of forcing the NAT to use the
>source IP of NAT-ed packets as using the 202.44.55.143? I've checked
>out the Netscreen documents that having a feature of DIP (or MIP
>whatsoever), but those DIP/MIP only allow me to set another IP that
>still within the subnet of the untrusted interface (so set to 10.0.0.8
>is OK, 202.44.55.143 is not allowed)
>
>The router is from the ISP and looks it's not NAT-ed, evidenced that
>by putting a notebook PC replacing the firewall like this, the PC is
>unable to connect outside.
>
> ISP <--> (real ip 202.44.55.xx) Router (10.0.0.5) <--> (10.0.0.4)
>Notebook PC
>
>There is another obvious solution that we scrap the ISP's router, and
>let the new Netscreen does the PPPoE, but there may be some political
>issue that I could't do it.

So I understand...the external interface of the firewall
is 10.0.0.4 but you want the egress IPs to be 202.x ?

Typically the ISP gives you a routable range and this is what the
firewall <-> router uses. Then you NAT to the egress on the firewall
(same as Checkpoint (ugh!) hide NAT). The external router has
another, different range for the physical layer.

So why are you using 10.x ? This make things difficult.

You could probably solve this by doing policy based NAT on all
outbound backets. So from Trust to Untrust..
Policies > (trust to untrust) > Edit > Advanced > Destination
Translation - and fill in the blanks.

http://www.juniper.net/techpubs/software/screenos/
Grab the NAT volume.

alan

Re: Netscreen NAT problem

yeah, this isn't right. the router shouldn't be on the private network
unless IT is doing the NAT. and if the trusted interface on it is a
private IP like you show, it would have to be doing the NAT. and if it
is, then the netscreen shouldn't be doing any NAT.
have one or the other do the inbound and outbound NAT, not both.

-Tony