User Auth does not work with NAT

[roadrunner]

User Auth does not work with NAT
Anytime the security servers intercept a connection, either for authentication or content security, FireWall-1 will originate the outgoing connection itself, at least in version 4.1 and before (NG does not appear to have this behaviour). Any previously-applied NAT rules will not take effect. This connection will traverse the address translation rulebase with it's own IP address as the source address. You would have to use the following NAT rules (Where Firewall-int is the IP of your internal interface):

Original Translated
Source Destination Service Source Destination Service
1. x.y.1.50 - x.y.255.255 Any Any Firewall (H) Orig Orig
2. Firewall-int a.b.c.4 Any Firewall-int (H) x.y.1.4 (S) Orig
3. Any a.b.c.4 Any Orig x.y.1.4 (S) Orig


Rule number 2 doesn't seem to make much sense here. This rule is necessary for things to work correctly as the inspect engine seems to see the connection opened by the authentication daemon as a seperate connection that requires re-scanning thru the NAT rule table. Rule 2 insures this connection is matched correctly.

Note that this workaround does not appear to work under IPSO.

-- PhoneBoy - 30 Dec 2003


FAQForm
FAQs.Class: AuthenticationFAQs, NetworkAddressTranslationFAQs, TroubleshootingFAQs
OperatingSystem?:
FAQs.Version: