Problem with FTP and NAT

From: Tony Hewitson (hewitsan@email.lul.co.uk)
Date: 06/18/02

• Next message: Harry Krause: "Re: The Beginning Of The End For Micro$oft Reign Of Terror"
• Previous message: David J Edgar: "Alcatel Speedtouch 510 - H323/H245 setup"
• Next in thread: Brad Werschler: "Re: Problem with FTP and NAT"
• Reply: Brad Werschler: "Re: Problem with FTP and NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: hewitsan@email.lul.co.uk (Tony Hewitson)
Date: 18 Jun 2002 02:38:42 -0700

I recently had a problem with checkpoint FW4.1 SP4 on a nokia ip650 -
The Nokia has three subnets attached to it, the first is the internet,
the second a dmz and the third the private network. We setup two
network objects in checkpoint one was for the internal network
(10.0.0.0/8) and the other was for the dmz (10.100.2.72/26) in the dmz
we have a proxy server to which all HTTP and FTP requests to the
internet are sent. The DMZ is using 'hide ' nat behind one of our
legal internet ip addresses. The problems is we are having verrrry
slow HTTP access and intermittent FTP connections with this setup. I
reproduced this problem in a laboratory environment - the firewall had
no rules applied to it (any any any accept) and we still had a problem
when using NAT to the internet from the DMZ. I then changed the
network of the DMZ to 192.168.1.0 and wham everything worked as it
should. Is this because Checkpoint is aware of the two network objects
(even when they are not loaded into the policy and the dmz natted) and
the DMZ is in essence encorporated into the internal network object by
using 10.0.0.0/8??

any ideas would be greatly appreciated

Regards
Tony Hewitson

---

• Next message: Harry Krause: "Re: The Beginning Of The End For Micro$oft Reign Of Terror"
• Previous message: David J Edgar: "Alcatel Speedtouch 510 - H323/H245 setup"
• Next in thread: Brad Werschler: "Re: Problem with FTP and NAT"
• Reply: Brad Werschler: "Re: Problem with FTP and NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: SBS2000 and a DMZ ... the mission critical network. ... The remote/mobile users can trapse all over the internet and collect all ... > appropriate registry entries on the clients, the ability for the DMZ ... >> The W2K3 server is a recent addition and wanted it for storage of the ... (microsoft.public.backoffice.smallbiz2000) Re: Security Issue with ISA and Exchange Front end ... >Dedicated Firewallprotecting our network. ... >the only ports I open for the Internet users to the FE, ... >ISA in DMZ and not a member server of my Domain, FE and BE in the Internal ... (microsoft.public.exchange.setup) Re: Security Issue with ISA and Exchange Front end ... >Dedicated Firewallprotecting our network. ... >the only ports I open for the Internet users to the FE, ... >ISA in DMZ and not a member server of my Domain, FE and BE in the Internal ... (microsoft.public.isa.clients) Re: Security Issue with ISA and Exchange Front end ... >Dedicated Firewallprotecting our network. ... >the only ports I open for the Internet users to the FE, ... >ISA in DMZ and not a member server of my Domain, FE and BE in the Internal ... (microsoft.public.isa) Re: Security Issue with ISA and Exchange Front end ... >Dedicated Firewallprotecting our network. ... >the only ports I open for the Internet users to the FE, ... >ISA in DMZ and not a member server of my Domain, FE and BE in the Internal ... (microsoft.public.exchange2000.protocols)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2002-06