nat/checkpoint auth/access problem.

From: Tatsuya Kawasaki (tatsuya@kivex.com)
Date: Wed Mar 21 2001 - 08:11:17 EST


Here is the situation.
client is in inside of NAT say 1.1.1.9
which is statically translated to 2.2.2.9
go out internet try to talk to 3.3.3.100
I understand that this IP,3.3.3.100, is a server where checkpoint
firewall is runningon.
I am not familiar with checkpoint firewall very well,
there is what it seems to happen.
checkpoint firewall,3.3.3.100 and 2.2.2.9 talks fine.
Per checkpoint log, shows that it has been authenticated.
Then it tried to go to the web site behind firewall. say
4.4.4.11, that is the problem. acess is denied.

Here is what packets appeared to doing..

1 packets orignated 1.1.1.9 changes to 2.2.2.9 then go to internet
   talk to 3.3.3.100 (checkpoint firewall) to update info.
   This seems to work just fine.

2. try to authenticated..
packets orignated 1.1.1.9 changes to 2.2.2.9 then go to internet,
try to talk to 4.4.4.11 but reply seems to come from 3.3.3.100.
This I am not sure because I only get two packets back from
3.3.3.100 but checkpiont side says everything is okay.

3. packets orignated 1.1.1.9 changes to 2.2.2.9 then go to internet
try to talk to 4.4.4.11 to access web site, see no packets return
neither from 3.3.3.100 or 4.4.4.11.

I see the problem here. But I need to be prepare for all possibilites.
Specially I am still bit concern on step #2, getting not "enough" packets.
Perharps UDP packets?(authentication packet) does not need much ...

Questions
- HOW NAT TRANSLATION WORKS?
   does nat tranlation is simply swap the ICP header when it goes out
   into the internet and swap back when the packet return. If so why some
of internet games had a problem ie
   diablo, not sure it is still the cause or not.
-If you use dynamic NAT translation, I can see the problem like this.
  ie send packet to 4.4.4.11 but reponse come back from 3.3.3.100
 but I am using static NAT translation, this should not affect,should
they?
-Any info on checkpoint ie port number for auth etc...?

TIA,

Tatsuya

/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
Tatsuya Kawasaki
Allegiance Telecom
Unlock the Power of the Internet
http://www.kivex.com
Phone 301.215.6777 Fax 301.215.5991
Affiliation given for identification not representation
/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:32 EDT