Re: Routing for a Virtual Server in Checkpoint


"Jean-François Gobin" <jf-no-spam-for-me@xxxxxxxxxx> wrote in message
news:450d1610$0$428$4d4efb8e@xxxxxxxxxxxxxxxxxxxxxx
In fact it depends if you're doing prenat or postnat. One of them doesn't
require routes at all, but beware ... you may need to review your entire
rulebase (prenat is doing the NAT or de-NAT on the input interface
...postnat on the output interface). That's what they call "client side
natting" or "server side natting".

What's the general opinion on which form of NAT is more secure?


The routes you have to insert in the OS are only to determine "to which
interface should this packet be sent". Quite logical if you think that the
address in question may be connected to the outside interface or even to
no
interface (case of a "pure virtual network").

Right, but my question (still unanswered) is how do I do those routes when I
have one external IP, with three target ports that I want to map to three
different target computers on three different DMZ networks? I can't just
route one static IP to one static IP, and I can't route the one IP to one
DMZ network. That will deliver the packet to the incorrect DMZ interface
for two of the three target hosts.


"Automatic ARP" is there only to ensure that the NAT address can be
resolved
to a physical (ie ethernet) address. Without that, you'll have to insert
proxy ("permanent public" in term of BSD) arp for each nat (static or
hide)
you can have ... or insert host routes in your outside router.

I'm not having any problems with the arp part of this.

--
Will


.

Relevant Pages

  • Re: Remote Desktop to Other PC systems on the Network from Remote
    ... machines but I have added a route destination (any destination matching the ... Do I need to have the external interface of the PIX at Branch side somewhere ... I have added the remote network ranges to the "Internal" network definition ... I also already have 2 persistent routes these identify ...
    (microsoft.public.isaserver)
  • Re: Routing for a Virtual Server in Checkpoint
    ... In fact it depends if you're doing prenat or postnat. ... require routes at all, but beware ... ... ....postnat on the output interface). ... automatic nat can do two rules. ...
    (comp.security.firewalls)
  • RE: Problems getting 2 NICs to work.
    ... > Below are the contents of the config files. ... The physical network in this case has nothing to do ... Running both class C's on the same interface is likewise not optimal, ... Gateway statements define default routes. ...
    (Fedora)
  • Re: VPN routing and RAS problem urgent!!! (thank you)
    ... Permanente routes: ... I can see in RAS packets being coming in on the Interface but nothing ... VPN subnet using Add route ... ... I have 3 interface 2 of them connected with the Internet. ...
    (microsoft.public.windows.server.sbs)
  • Re: Routing for a Virtual Server in Checkpoint
    ... HTTP redirect and NAT. ... require routes at all, but beware ... ... ...postnat on the output interface). ...
    (comp.security.firewalls)