[admcleod]

Hello!

I have just taken over administration of a Checkpoint NGX R60 firewall, and have been given the task of enabling external access to an internal server hosting a web server on port 4443. (Due to a recent firewall migration not being entirely complete). This new host resolves to the same IP address as an existing web server.

Heres the scenario:

web.domain.com and newhost.domain.com both point to the public IP 80.0.0.1.

There is an automatic NAT for 80.0.0.1, to the internal IP, 192.168.0.10

This automatic NAT works fine (only necessary for TCP 80/443).

So, I want to add in a rule to redirect requests to 80.0.0.1 on port 4443 to the internal IP of the newhost, 192.168.0.20.

(There are three rules in the rulebase:
ANY to 192.168.0.10 on 80, LOG
ANY to 192.168.0.10 on 443, LOG
ANY to 192.168.0.20 on 4443, LOG)

I don't _really_ want to remove the existing automatic NAT to the web server, mainly to avoid any outages caused by misconfiguration...

These are the rules I have tried, separately, without success:

Original Packet ==> Translated Packet

Src, Dest, Svc ==> Src, Dest, Svc

any, 80.0.0.1, tcp_4443 ==> original, 192.168.0.20, original

and

any, 192.168.0.10, tcp_4443 ==>orig., 192.168.0.20, orig.

I have tried them both above and below the automatic NAT (although bi directional NAT is enabled, and I understand that checks all rules for best match before processing? - is matching 'ANY' service better than matching the service explicitly?)

Anyway. Any suggestions? Something blatantly silly/obvious?


Thanks!