Static NAT problem

[musasalam]

Hi All,

Does anyone have a solution to this?

I have a checkpoint firewall with three interfaces as follows:

Ethernet 1 ---To the outside (internet)

Ethernet 2----To the Inside (inside LAN)

Ethernet 3----To the DMZ

I have a webserver on the DMZ statically NATed to a global IP for people to access it from the internet.

The fisrt problem i noticed was that the webserver is nated to the global IP when it access the internal network.

I observe this when i enable a debug on the PIX firewall connected to the inside of the checkpoint firewall.

The second challenge was that the return traffic is not getting to the webserver because i could see the return traffic hitting the outside interface of the conneceted PIX firewall.

Also when i did a tcpdump on the inside interface of the checkpoint firewall, i was also getting the return traffic destined for the webserver, but for one reason or the other, the return traffic is not getting to the webserver.

please does anybody have an idea of what i am doing wrong.

this will highly appreciated.

[RayPesek]

Hi musasalam,

"The first problem i noticed was that the webserver is nated to the global IP when it access the internal network."

I assume the DMZ and the web server itself have private IP addresses? Is that correct?

To have the web server appear on the internal network with its true DMZ address, you'll need to create additional NAT rules to do it.

"The second challenge was that the return traffic is not getting to the webserver because i could see the return traffic hitting the outside interface of the connected PIX firewall."

Do you mean that traffic from the Internet that should be going to the DMZ web server is instead going to the internal network? That would have to be an error in one of the NAT rules causing a routing problem, I would think.

Did you use an automatic NAT rule with the NAT tab of the web server object or did you manually create two NAT rules?

If you manually created the rules, could you please put them in a reply?

HTH,

Ray

[musasalam]

Hi Ray,

Thanks for your response.

Yes the webserver and the DMZ have private IP address but how do i create the additonalNAT rule to allow the DMZ ip address to appear as its oribinnal address on the internal network?


Do you mean that traffic from the Internet that should be going to the DMZ web server is instead going to the internal network? That would have to be an error in one of the NAT rules causing a routing problem, I would think


No, i mean the traffic from the internal network that should be going to the DMZ webserver might be instead going to the outside (not sure)



Did you use an automatic NAT rule with the NAT tab of the web server object or did you manually create two NAT rules?

I used Automatic NAT with the NAT tab of the webserver object

Regrds

[Steve_Martin]

Hi,

Since u have done automatic NAT, the following rules would have got added automatically under Address Translation rules:

ORIGINAL PKT TRANSLATED PKT
Web_server -> Any Web_Server (Valid IP) -> Any
Any -> Web_server (Valid IP) Any -> Web_Server

Pls add the following manual rules:

ORIGINAL PKT TRANSLATED PKT
Internal_Network -> Web_server Original -> Original
Web_Server -> Internal_Network Original -> Original

[musasalam]

Hi,


Thanks for your contribution.

It has been resolved.

[chillyjim]

Please post the final solution when you have a chance. Thanks.

[MarioL]

Not sure what musasalam did in the end, but this is what I suggested:

"Hi there,

It's a common problem, and also very easy to solve.
What you need to do is create a group with all your own networks (including DMZ) and then create a manual NAT rule at the top, like this:
group | group | any | = | = | =

This will prevent any NAT being used for any traffic between your own networks, which is usually the right thing for most ppl.

If you have more specific details, feel free to pm me again and we can discuss."

Steve's solution will also work (provided those rules are place above the automatic NAT ones).

I personally prefer not to use any NAT between networks that I "own", but its a matter of preference.