Re: Routing for a Virtual Server in Checkpoint

From: "Will" <DELETE_westes@xxxxxxxxxxxxxxxxxx>
Date: Sun, 17 Sep 2006 23:58:53 -0700

Will <westes-usc@xxxxxxxxxxxxxx> wrote:
: With at least older versions of Checkpoint, you have to establish manual
: routes in the OS to move packets that require NAT to the correct

interface.

: For a simple mapping of one external IP to one internal IP, this is

trivial

: and works fine. But how are you supposed to do the routing for the

case of

: a virtual server, where one external IP may map each of three ports to

three

: separate destination IPs on three separate DMZ networks? It's not

clear

: for such a case how static routing rules would apply.

<larstr@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eeis30$83b$1@xxxxxxxxxxxxxxxxxxxxx

I don't know what version you're using, but newer versions (NG and up)
understands and does this automaticly. It's called automatic ARP.

Don't confuse the arp issue with NAT. At least on the older Checkpoint
product, they are completely separate. You have to define static routes on
the pre-NAT addresses in order to have them routed to the correct
destination interface.

If you automate the arp, and you want to use NAT after routing, wouldn't you
still need to create static routes to get to the correct destination
interface?

My case is a little too complex for a simple static route. I want:

192.168.10.13:80 -> 172.16.16.14:8080
192.168.10.13:53-> 172.16.13.13:53

172.16.16 and 172.16.13 are separate class C networks on separate DMZ
interfaces of the firewall. I can't just route all packets coming to
19.168.10.13 to one of these two destinations arbitrarily.

--
Will

.

References:
- Routing for a Virtual Server in Checkpoint
  - From: Will
- Re: Routing for a Virtual Server in Checkpoint
  - From: larstr

Prev by Date: Re: Trouble with network using netgear router
Next by Date: Re: Routing for a Virtual Server in Checkpoint
Previous by thread: Re: Routing for a Virtual Server in Checkpoint
Next by thread: Re: No internet connection
Index(es):
- Date
- Thread

Relevant Pages

Re: Routing for a Virtual Server in Checkpoint
... ...postnat on the output interface). ... What's the general opinion on which form of NAT is more secure? ... but my question is how do I do those routes when I ... different target computers on three different DMZ networks? ...
(comp.security.firewalls)
Re: Routing for a Virtual Server in Checkpoint
... In fact it depends if you're doing prenat or postnat. ... require routes at all, but beware ... ... ....postnat on the output interface). ... automatic nat can do two rules. ...
(comp.security.firewalls)
Re: Bizzare behaviour of NAT with iptables
... I have checked the routes before, ... nat / PREROUTING and nat / POSTROUTING chains triggered ... I run a constant ping from my machine to some close www server ... but somehow manages to avoid the nat table (both postrouting and prerouting) ...
(comp.os.linux.networking)
Re: Routing for a Virtual Server in Checkpoint
... HTTP redirect and NAT. ... require routes at all, but beware ... ... ...postnat on the output interface). ...
(comp.security.firewalls)
Re: Opening a port in NAT
... Persistent Routes: ... Using Netsh to troubleshooting NAT issues ... you can use Netsh Routing IP NAT Commands to troubleshoot NAT issues. ...
(microsoft.public.windows.server.networking)