firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: NAT sanity check (Darden, Patrick S.)
2. Re: NAT sanity check (James)
3. Re: NAT sanity check (Halchishak, John)
4. 2nd Life (DRISCOLL, ROBERT)
5. Re: NAT sanity check (Paul Melson)
6. NAT order help (sivakumar)
----------------------------------------------------------------------
Message: 1
Date: Mon, 5 Nov 2007 14:09:04 -0500
From: "Darden, Patrick S." <darden@armc.org>
Subject: Re: [fw-wiz] NAT sanity check
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <CBE22E5FF427B149A272DD1DDE1075240184E46D@EX2K3.armc.org>
Content-Type: text/plain; charset="iso-8859-1"
The Checkpoint firewall box should be your default gateway--make it .1 and it can NAT/PAT to anything behind it.
--p
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of David Steele
Sent: Thursday, November 01, 2007 8:24 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] NAT sanity check
Hi,
I'm hoping someone can provide a sanity check on the following configuration - i.e.: will it work?
I've got a /29 public network, addresses (say) .2 to .6, with default gateway of .1. Can I place a Checkpoint firewall on .2 and have it use the remaining addresses for NAT'd services on the other side of the firewall?
I ask as I'm certain I've done this in the past, but I'm a few years out of doing firewall work and my current technical contact reckons this won't work - that the default gate will ARP for the address and the .2 firewall won't respond; and that furthermore the only way to use the addresses would be to put a different subnet between the default gateway and the firewall and route the /29 network to the firewall (which I agree will work, but...)
Also, would it work if the firewall was a PIX?
TIA
--
_______________________________
David Steele
<insert sig line witticism here>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071105/22f0272d/attachment-0001.html
------------------------------
Message: 2
Date: Tue, 6 Nov 2007 11:49:53 +1100
From: James <jimbob.coffey@gmail.com>
Subject: Re: [fw-wiz] NAT sanity check
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<343aa4f80711051649v316da336t977a0a34a3667ca1@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 11/2/07, David Steele <steeled3@gmail.com> wrote:
> Hi,
>
> I'm hoping someone can provide a sanity check on the following configuration
> - i.e.: will it work?
>
> I've got a /29 public network, addresses (say) .2 to .6, with default
> gateway of .1. Can I place a Checkpoint firewall on .2 and have it use the
> remaining addresses for NAT'd services on the other side of the firewall?
Yes not a problem use static arps on the firewall (cisco calls it proxy arp)
fw-1 will automagically create them for you as well but there have been issues
with this in the past (depends on OS and firewall revision)
>
> I ask as I'm certain I've done this in the past, but I'm a few years out of
> doing firewall work and my current technical contact reckons this won't work
> - that the default gate will ARP for the address and the .2 firewall won't
> respond; and that furthermore the only way to use the addresses would be to
> put a different subnet between the default gateway and the firewall and
> route the /29 network to the firewall (which I agree will work, but...)
Hmm time for a new technical contact...
I actually prefer the route based method but then I have address space
to burn a
/30 on.
>
> Also, would it work if the firewall was a PIX?
Should do. I think the pix will even create them for you
if you configure nat rules.
>
> TIA
>
> --
> _______________________________
> David Steele
>
> <insert sig line witticism here>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
--
jac
------------------------------
Message: 3
Date: Tue, 6 Nov 2007 12:49:35 -0700
From: "Halchishak, John" <john.halchishak@ciber-az.com>
Subject: Re: [fw-wiz] NAT sanity check
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<B4B3243C3166D542AE4F794A25B248C89D386A@cbrex.ciber-az.com>
Content-Type: text/plain; charset="us-ascii"
I don't see why it would not work with Checkpoint but it does with the
PIX Our PIX actually NAT's public spares to specific internal addresses
and PAT's one public for all other traffic out.
John Halchishak
Hi,
I'm hoping someone can provide a sanity check on the following
configuration
- i.e.: will it work?
I've got a /29 public network, addresses (say) .2 to .6, with default
gateway of .1. Can I place a Checkpoint firewall on .2 and have it use
the
remaining addresses for NAT'd services on the other side of the
firewall?
I ask as I'm certain I've done this in the past, but I'm a few years out
of
doing firewall work and my current technical contact reckons this won't
work
- that the default gate will ARP for the address and the .2 firewall
won't
respond; and that furthermore the only way to use the addresses would be
to
put a different subnet between the default gateway and the firewall and
route the /29 network to the firewall (which I agree will work, but...)
Also, would it work if the firewall was a PIX?
TIA
--
_______________________________
David Steele
<insert sig line witticism here>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/200
71101/cc0af63e/attachment-0001.html
------------------------------
Message: 4
Date: Tue, 6 Nov 2007 13:49:54 -0800
From: "DRISCOLL, ROBERT" <ROBDRI@SAFECO.com>
Subject: [fw-wiz] 2nd Life
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID:
<EC2E6563897D7943A9CB1143B9243EA002C7151C@psmrdcex17.psm.pin.safeco.com>
Content-Type: text/plain; charset="us-ascii"
Hello,
I wanted to get some feedback on a request to allow Second Life through
our network. I was hoping that perhaps someone has experience with this
application and can let me know what steps they took to mitigate the
risks.
Management is pushing pretty hard for this and they have persuaded our
Risk Management group to move forward with a possible solution. So
simply denying this is not an option.
I was hoping to use a bastion host setup behind a firewall, running
either Citrix or Remote Desktop. But I haven't tested network
performance for the client application or performance issues with
multiple users accessing the same machine.
Of course direct client access appears to be a gaping hole as second
life requires...
TCP/443
TCP/12043
UDP/12035-12036
UDP/13000-13050
Then depending on whether or not we are forced to allow voice traffic
through
TCP/80
TCP/443
TCP/21002
UDP/12000-13000
UDP/5060
UDP/5062
I have already pointed out the vulnerabilities I could find (URI
handling vulnerability exposing logon credentials to malicious sites &
650,000 users notified of data breach of Linden Labs Database server
9/2006).
If anyone on the list has had to grapple with this issue, I would
appreciate your insights.
Thanks.
Robert Driscoll, CISSP
robdri@safeco.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20071106/0d2d3181/attachment-0001.html
------------------------------
Message: 5
Date: Mon, 5 Nov 2007 16:18:00 -0500
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] NAT sanity check
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <00a201c81ff1$58bbc820$4d00300a@ad.priorityhealth.com>
Content-Type: text/plain; charset="us-ascii"
> I've got a /29 public network, addresses (say) .2 to .6, with default
gateway of .1. Can I
> place a Checkpoint firewall on .2 and have it use the remaining addresses
for NAT'd services
> on the other side of the firewall?
Sure, you can use .3-.6 for publishing services to the internet (Check Point
calls it "static NAT") and use .2 for the firewall's outside interface and
also for outbound network traffic (Check Point calls this "hide NAT"). With
a /29 subnet, the first and eighth addresses (.0 and .7) are reserved and
cannot be used.
> Also, would it work if the firewall was a PIX?
Yes.
PaulM
------------------------------
Message: 6
Date: Tue, 6 Nov 2007 02:32:54 -0800 (PST)
From: sivakumar <siva_itech@yahoo.com>
Subject: [fw-wiz] NAT order help
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <13548213.post@talk.nabble.com>
Content-Type: text/plain; charset=us-ascii
Hi,
access-list rule1 permit tcp 10.0.0.0 255.0.0.0 host 1.1.1.1
static(inside,ouside) 1.1.1.2 access-list rule1 0 0
static (inside,outside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0 0 0
Please tell me which statement will take precedence - policy NAT ot Static
NAT..
--
View this message in context: http://www.nabble.com/NAT-order-help-tf4737610.html#a13548213
Sent from the Firewall Wizards mailing list archive at Nabble.com.
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 19, Issue 2
***********************************************
No comments:
Post a Comment