PDA

View Full Version : Tricky Static NAT



achillesheel
2007-09-11, 13:27
All,

I have a question regarding static NAT. Please have a look at the configuration described below.

Security Rule
--------------
Src: 10.10.10.1 & 10.10.10.2
Dst: 172.16.1.1
srv: ANY
act : Accept

NAT rules
----------
Rule1
Src: 10.10.10.1
Dst: 172.16.1.1
SrcNAT: 192.168.1.1 (Static NAT with firewall's interface ip)
DstNAT: original

Rule2
Src: 10.10.10.2
Dst: 172.16.1.1
SrcNAT: 192.168.1.1 (Static NAT with firewall's interface ip)
DstNAT: original

I know the question may sound silly, im asking this to have better understanding of how checkpoint works.!
The unconventional configuration is the 2 different source ips get static NAT-ted with firewall interface ip (192.168.1.1). Is this configuration possible ? Im aware of hide NAT configuration, but i was just curious whether this is possible or not. If at all yes, how does the firewall identify the connection in the state table and relate that to Xlate table for performing NAT.

Thanks in advance

Cheers
Achillesheel

MarioL
2007-09-12, 05:55
You forgot to mention if this is inbound or outbound, that makes a difference.

Anyway, Static NAT is supposed to be 1-to-1, even though you can use for more than one if you use the service field too (so you have a way to differentiate between them).

The configuration you described is not correct. While it may seem possible to translate 2-to-1, you won't ever be able to do the reverse rule to transalate back 1-to-2.

Finally, you shouldn't use full static NAT (service Any) using the firewall's IP, for many reasons, even if you can do it for specific services.

achillesheel
2007-09-13, 10:46
MarioL,

Thanks for the response. Now im getting more doubts :-)...My apologies for not mentioning whether its inbound or outbound infact i didnt realize that makes a difference here...Could you please explain both cases inbound/outbound considering the static sourceNAT ip 192.168.1.1 as a normal one and NOT firewall interface ip.

I understand your second sentence refer to port translation. please correct me if wrong.

When you said it may seem possible to translate 2-to-1 i get the following thoughts (Assume for connection between 2 DMZs).
Considering destination NATs, 2 or many destination IPs can be static NAT-ted to single IP when the sources are different otherwise its of no use. This is a normal configuration so no confusion here.

SourceNAT
Possibilites of 2-to-1 source static NAT
1) 2 source IPs can be static NAT-ted to single IP when the destinations are different for the 2 sources.
2) 2 source IPs can be static NAT-ted to single IP accessing same destination but for different services (Say source1 - Port 80 and source 2 - port 21)

Please comment

Also you had mentioned we shouldn't do static NAT with firewall interface IP for many reasons, first of all is it possible to use the firewall interface IP for static NAT (be it inbound or outbound) ?

Please do let me know if you think these doubts are already addressed here then I would refer other threads to find my answer.

Thanks in advance

Cheers
Achillesheel

MarioL
2007-09-13, 11:16
Hi Achillesheel,

When you are using NAT on the source of packets coming into your networks, you can usually play with the fact that the firewall is the default gateway and a lot of IPs will get routed back to it. You don' have this luxury when you are doing NAT for source IPs of packets going out of the network.

My 2nd sentence refers to NAT, which in Check Point would be called Static NAT. PAT (Port Address Translation) is Hide NAT.

Unless you use 2 different fields on NAT rules, there is no way you can Static NAT for more than 1 IP. If you think it can work, please create a set of example NAT rules.
The examples you give use 1 more field, so you can hack it (part of what I had said in my previous post).

You can use the firewall's IP for static NAT, but I would only use it for specific services. Ex:
Any | FW | SMTP | = | MailServer | =
Any | FW | HTTP | = | WebServer | =

And then use NAT hide for both servers when going out. With just 1 IP address you could get both working.

achillesheel
2007-09-16, 06:28
MarioL,

I understand your first 2 points. When you said there should be 2 different fields on NAT rules, I understand the "service" field should be used. For more clarity on my previous post, please have a look at the rules below and advise whether each set of rules are correct or not. Assume the connection is between DMZs.

First set of NAT rules - Src and Dest are 2 different fields
| 10.10.10.1 | 172.16.1.1 | HTTP | 192.168.1.1 | = | = |
| 10.20.20.1 | 172.16.2.2 | HTTP | 192.168.1.1 | = | = |

Second set of NAT rules - Src and Ports are 2 different fields
| 10.10.10.1 | 172.16.1.1 | FTP | 192.168.1.1 | = | | = |
| 10.20.20.1 | 172.16.1.1 | Telnet | 192.168.1.1 | = | = |

I understood the usage of firewall ip for 2 different services and you had also mentioned hide NAT is done for the servers when they go out. So its clear that we cannot do static NAT for a source with firewall IP.


Cheers
Achillesheel

MarioL
2007-09-17, 04:39
Morning,


So its clear that we cannot do static NAT for a source with firewall IP.
To be honest, I never tested this, now you got me thinking. Maybe someone has and will comment. But even if it somehow worked, it wouldn't be an ideal config.

On to the fun stuff:
| 10.10.10.1 | 172.16.1.1 | HTTP | 192.168.1.1 | = | = |
| 10.20.20.1 | 172.16.2.2 | HTTP | 192.168.1.1 | = | = |

If we use hide NAT here, it will work just fine. If we use Static, we can add the following reverse rules and it will work:
| 172.16.1.1 | 192.168.1.1 | Any | = | 10.10.10.1 | = |
| 172.16.2.2 | 192.168.1.1 | Any | = | 10.20.20.1 | = |

OK, second scenario:
| 10.10.10.1 | 172.16.1.1 | FTP | 192.168.1.1 | = | | = |
| 10.20.20.1 | 172.16.1.1 | Telnet | 192.168.1.1 | = | = |

Now here we have a problem, we won't be able to differentiate the return packets, so we won't know if we should translate to 10.10.10.1 or 10.20.20.1. When we get a packet back from 172.16.1.1 to 192.168.1.1, the source port is the thing that identifies where it should go, but it doesn't show in the NAT rules.

One "problem" with NAT is that each vendor has their own nomenclature and slight variations. I suspect we are thinking pretty much the same, just putting it down differently :) Also, English is not my native language.

Cheers,
Mario

mcnallym
2007-09-17, 09:03
The normal method for doing STATIC Nat with the Firewall's external IP is to create rules for outbound and then use the SRV_REDIRECT option to redirect services to specific servers inbound.

Look at http_mapped for how to work with SRV_Redirect.

MarioL
2007-09-17, 10:05
Ah, there you go, thanks mcnallym.