NAT / Http - FireWall-1 Gurus Forum

gartner · Status: Offline

NAT / Http

ccseng2002 · Status: Offline

On the Nokia, you need to do the proxy "arp". If you're running nokia "vrrp", you need to put the vrrp MAC to proxy arp for the NATed address. If you are not using nokia vrrp, simply use the "external" of the firewall. Again, use voyager to configure this. It should be in "ARP" Section.

gartner · Status: Offline

I have done this.

on a second ip address it works well.....

? (1.2.3.3) at 0:a0:8e:b:81:50 permanent published (proxy only)
? (.1.2.3.4) at 0:a0:8e:b:81:50 permanent published (proxy only)

The tcp-connect goes to the internal-privat address 192.168.1.118. But it seems it has a problem to find the way back ?!?

gartner · Status: Offline

Hi,

i don't know why the syn ack does not appear:

1) with the problem ip-address 4.3.2.1:

07:14:21.084270 I 0:xx:xx:xx:xx:xx 2:xx:xx:xx:xx:xx 0800 62: 1.2.3.4.14413 > 4.3.2.1.80: S 2366408797:2366408797(0) win 64512 <mss 1260,nop,nop,sackOK> (DF)

2) with a working ip-address 4.3.2.2:
07:18:04.244950 I 0:xx:xx:xx:xx:xx 2:xx:xx:xx:xx:xx 0800 62: 1.2.3.4.14417 > 4.3.2.2.80: S 2422816349:2422816349(0) win 64512 <mss 1260,nop,nop,sackOK> (DF)
07:18:04.247262 O 1:xx:xx:xx:xx:xx0:xx:xx:xx:xx:xx 0800 58: 4.3.2.2.80 > 1.2.3.4.14417: S 2133886896:2133886896(0) ack 2422816350 win 8820 <mss 1460> (DF)

Who can explain me that ? Where is the bug ?

raulico · Status: Offline

what about the routing table?

do you use tha automathic or manual nat.....global-properties->nat, i suggest you the manual version, i always hate automathism....maybe a spoofing problem not showed by implied logs-rules

i suggest you to add the proxy arp, by voyager, and add the static-route, on voyager too, after you should create 2 objects on firewall1, and do the security rule and nat (static both directions...direct and reverse), good luck

Ciao

Raoul Ferro

gartner · Status: Offline

What static route do you mean ?

gartner · Status: Offline

if i ping from the internal Webserver to an external address it works !

if i ping from an external address to the interal Webserver it doesn't works ! The firewall shows no drops ?????

raulico · Status: Offline

1.2.3.4 example wan address

192.168.1.1 example lan address

proxy-arp 1.2.3.4 to wan(or fw address)

static route 1.2.3.4 to 192.168.1.1/32

on fw1 create 2 objects, 1 for wan-address and 1 for lan address

on security rule permit http-traffic from any to 192.168.1.1

on nat rule create 2 static rules for inside-to-outside and outside-to-inside.(hide is not permitted)

check if icmp is permitted from outside, and test connections by a ping

ciao

Raoul Ferro

JA · Status: Offline

I know this is a basic suggestion but have you checked that the default gateway on you local host (HTTP server) is set to the you Nokia???