[fw-wiz] Sunscreen EFS 3.1 stealth mode and NAT

From: Roy Culley (tgdcuro1_at_gd2.swissptt.ch)
Date: 05/20/03

  • Next message: W. Builder: "[fw-wiz] NAT Based on Service with only one legal IP" 
    To: firewall-wizards@honor.icsalabs.com
Date: Tue, 20 May 2003 10:08:34 +0200

    I have a sunscreen in stealth mode. I have been asked to do a static
    NAT of an internal host which has a private address.

    I added the private address (private_dns) to the address group for the
    internal interface (so it has now the internal stealth net addresses and
    this private address).

    I added the NAT address (private_dns_nat), which is part of the stealth
    subnet address range, to the address group for the external interface. I
    added 2 NAT rules:

    1 STATIC "private_dns" "*" "private_dns_nat" "*"
    2 STATIC "*" "private_dns_nat" "*" "private_dns"

    When I snoop the incoming and outgoing interfaces I see the packet
    arriving on the internal interface with src address private_dns. I
    see a packet go out on the external interface with src address
    private_dns_nat. The reply packet comes in the external interface
    with dst address private_dns_nat. This packet does not appear on
    the internal interface.

    The sunscreen log shows the initial packet arriving on the internal
    interface as passed. The return packet arriving on the external
    interface is also logged pass.

    Does anyone know why the return packet is not being sent out on the
    internal interface?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: W. Builder: "[fw-wiz] NAT Based on Service with only one legal IP"

    Relevant Pages

    • Re: NAT troubleshooting
      ... I dont follow...which interface are you talking about? ... Private interface does ... You don't really Need that NIC for NAT to work. ... Ethernet adapter Local Area Connection: ...
      (microsoft.public.windows.server.networking)
    • Re: NAT without DHCP? (w2k3)
      ... My guess is that you have not configured the public interface correctly. ... How does your server connect to the Internet? ... set to the private address of the NAT machine? ...
      (microsoft.public.windows.server.networking)
    • Re: NAT without DHCP? (w2k3)
      ... the private address of the NAT machine? ... I also enabled NAT tracing - may be this can help? ... right-click on my public interface, I see "Address pool" tab but it ... server, just leave the area for IP addresses blank", what do you ...
      (microsoft.public.windows.server.networking)
    • Re: protocol xx unreachable
      ... a tcpdump on the external interface shows a "protocol xx ... The routers in between cannot decode/mangle the packet without the endpoints ... For IPSec you should look at NAT-T which more or less wraps ... The ICMP packets are sent by the source (your router?) as here is some ...
      (comp.os.linux.networking)
    • Re: protocol xx unreachable
      ... a tcpdump on the external interface shows a "protocol xx ... The routers in between cannot decode/mangle the packet without the endpoints ... For IPSec you should look at NAT-T which more or less wraps ... The ICMP packets are sent by the source (your router?) as here is some ...
      (comp.os.linux.security)