[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] NAT and/or Telnet Proxying

To: "Spigelman, David" <dspigelman@amerix.com>, "'fw-1-mailinglist@lists.us.checkpoint.com'" <fw-1-mailinglist@beethoven.us.checkpoint.com>
Subject: Re: [FW1] NAT and/or Telnet Proxying
From: "[iso-8859-1] André Münch" <ajmuench@hotmail.com>
Date: Tue, 5 Jun 2001 08:17:50 +0200


    [ Part 1, Text/PLAIN (charset: ISO-8859-1 "Latin 1")  70 lines. ]
    [ Unable to print this part. ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hi David,  after 2 weeks in creta i´m back and ready to answer your
question. We have 2 DIFFERENT providers! One for the internet
connectivity and the second is a provider which connects our remote
offices to our central site. So, the addresses we are natting are
official internet addresses.
 
André
      -----Ursprüngliche Nachricht-----
Von: Spigelman, David
An: 'André Münch' ; 'fw-1-mailinglist@lists.us.checkpoint.com'
Gesendet: Montag, 21. Mai 2001 16:35
Betreff: RE: [FW1] NAT and/or Telnet Proxying

Andre, I'm not quite sure I understand the problem. It sounds like
your provider is giving you only private addresses for your outside
network. If that's true, then the address you're using for NAT will
also be private, right? So you won't be able to get to it from the
Internet, at all.
 
Unless I misunderstood your post...
 
-- DS
-----Original Message-----
From: André Münch [mailto:ajmuench@hotmail.com]
Sent: Thursday, May 17, 2001 7:44 AM
To: 'fw-1-mailinglist@lists.us.checkpoint.com'
Subject: [FW1] NAT and/or Telnet Proxying

      Hi all,
 
here is my problem:
 
our users at the remote sites are connected to our central
site over the network of a private net-provider. The provider
routes only internal ip-addresses. we have a subnetted 10.8.
address range. the remote users have an application which
connects to a server in the internet with telnet. Because
this official server-ip-address isn´t routet by the provider
there is the need to find a solution. up to now i had two
ideas:
 
1. NAT - will this work?
the application config at the remote site will get a dummy ip
address (no real server behind) of a telnet server. This
dummy ip is out of the range of an ip-segment from behind
(sight of the remote hosts) the fw1. The remote Hosts are
hidden behind the official internet address (hide mode). The
real Telnet Server is addressed by static destination mode.
Now the rules. I will focus to the nat-rules.
 
Source                    Destination         Service       
            source                destination               
service
remote network    dummy telnet        telnet               
        netz_hide(H)    real telnet server(S)    telnet
 
I couldn´t find this dupple-Nat in the checkpoint literatur.
A first (quick and dirty) try had no success. the connection
was dropped by the clearing rule.
 
2. transparent proxying
the second idea is a transparent Proxy. For example a Linux
Host in the local network with the new Kernel 2.4 and
iptables. The linux host then could NAT (and proxying) the
remote hosts and the internel IP address of the Linux Host
could be NATed by the FW1. 
Will this work?
 
Any other solutions?
 
André

Prev by Date: [FW1] [FW] log_trap messages on console, Firewall-1 password support
Next by Date: RE: [FW1] Cannot install Policy - URGENT
Prev by thread: [FW1] [FW] log_trap messages on console, Firewall-1 password support
Next by thread: [FW1] Broadcast Garbage
Index(es):
- Date
- Thread