Re: nat/checkpoint auth/access problem.

From: Danny Sutantyo (dsutanty@dsutanty-wkst.sc.intel.com)
Date: Wed Mar 21 2001 - 12:28:41 EST

Next message: Christian Reichert: "RE: [nsp] Experience with NSE-1 and IOS 12.0S?"
Previous message: gajraj dhillon: "[nsp] about CAR"
In reply to: Tatsuya Kawasaki: "nat/checkpoint auth/access problem."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Do you have 2 int, right? what's the ip address inside?
Did you set the default gw to point to the external ip address of
checkpoint?

DS
On Wed, 21 Mar 2001, Tatsuya Kawasaki wrote:

>
> Here is the situation.
> client is in inside of NAT say 1.1.1.9
> which is statically translated to 2.2.2.9
> go out internet try to talk to 3.3.3.100
> I understand that this IP,3.3.3.100, is a server where checkpoint
> firewall is runningon.
> I am not familiar with checkpoint firewall very well,
> there is what it seems to happen.
> checkpoint firewall,3.3.3.100 and 2.2.2.9 talks fine.
> Per checkpoint log, shows that it has been authenticated.
> Then it tried to go to the web site behind firewall. say
> 4.4.4.11, that is the problem. acess is denied.
>
>
> Here is what packets appeared to doing..
>
> 1 packets orignated 1.1.1.9 changes to 2.2.2.9 then go to internet
> talk to 3.3.3.100 (checkpoint firewall) to update info.
> This seems to work just fine.
>
> 2. try to authenticated..
> packets orignated 1.1.1.9 changes to 2.2.2.9 then go to internet,
> try to talk to 4.4.4.11 but reply seems to come from 3.3.3.100.
> This I am not sure because I only get two packets back from
> 3.3.3.100 but checkpiont side says everything is okay.
>
> 3. packets orignated 1.1.1.9 changes to 2.2.2.9 then go to internet
> try to talk to 4.4.4.11 to access web site, see no packets return
> neither from 3.3.3.100 or 4.4.4.11.
>
> I see the problem here. But I need to be prepare for all possibilites.
> Specially I am still bit concern on step #2, getting not "enough" packets.
> Perharps UDP packets?(authentication packet) does not need much ...
>
>
> Questions
> - HOW NAT TRANSLATION WORKS?
> does nat tranlation is simply swap the ICP header when it goes out
> into the internet and swap back when the packet return. If so why some
> of internet games had a problem ie
> diablo, not sure it is still the cause or not.
> -If you use dynamic NAT translation, I can see the problem like this.
> ie send packet to 4.4.4.11 but reponse come back from 3.3.3.100
> but I am using static NAT translation, this should not affect,should
> they?
> -Any info on checkpoint ie port number for auth etc...?
>
>
>
> TIA,
>
> Tatsuya
>
>
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
> Tatsuya Kawasaki
> Allegiance Telecom
> Unlock the Power of the Internet
> http://www.kivex.com
> Phone 301.215.6777 Fax 301.215.5991
> Affiliation given for identification not representation
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>

Next message: Christian Reichert: "RE: [nsp] Experience with NSE-1 and IOS 12.0S?"
Previous message: gajraj dhillon: "[nsp] about CAR"
In reply to: Tatsuya Kawasaki: "nat/checkpoint auth/access problem."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:32 EDT