The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Can't Get to a Translated Address from a Non-Firewalled Host

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Q:

I have address translation working, but I've got a particular node that I can't seem to get talking to a node on the Internal network that is being address translated. Here is my network configuration:

    1st Client        FireWalled Gateway               Router
    (10.0.0.2) <------>le0           qe0   <------->(203.234.222.254)<--------> WAN
                 | (10.0.0.1)  (203.238.108.2) |                       serial
    2nd Client   |                             |
    (10.0.0.3) <--           (203.238.108.80)<--

My NAT rules look like this:

    ================================================================================
     No. |  From Original  |   To Original   |   Method        |   First Translated
         |  Address(Port)  |   Address(Port) |                 |   Address(Port)
    --------------------------------------------------------------------------------
     0   |  10.0.0.2       | 10.0.0.3        | FWXT_SRC_STATIC | 203.238.108.90
     1   | 203.238.108.90  | 203.238.108.91  | FWXT_DST_STATIC |    10.0.0.2
    ================================================================================

My routing tables on the firewall look like:

    Destination        Gateway        Flags    Ref   Use    Interface
    -----------------------------------------------------------------------------
    127.0.0.1          127.0.0.1        UH       0      1450   lo0
    203.238.108.90     10.0.0.2         UGH      0        6
    203.238.108.0      203.238.108.2    U        3        27   le0
    10.0.0.0           10.0.0.1         U        2        6    qe0
    244.0.0.0          203.238.108.2    U        3        0    le0
    default            203.238.108.254  UG       0        25

On the first machine, the routing table looks like:

    Destination        Gateway        Flags     Ref     Use     Interface
    -----------------------------------------------------------------------------
    127.0.0.1          127.0.0.1        UH       0       196     lo0
    10.0.0.0           10.0.0.2         U        3         5     le0
    224.0.0.0          10.0.0.2         U        3         0     le0
    default            10.0.0.1         UG       0        19

The Cisco Router has the following lines in it's configuration:

    # show conf
          :
          :
    ip route 203.238.108.90 255.255.255.255 203.238.108.2
    ip route 203.238.108.91 255.255.255.255 203.238.108.2
          :
          :

I can ping in both direction between hosts on my WAN and 203.238.108.90, but I can't ping from a host outside the firewall at 203.238.108.80. What am I missing here?

A:

From the "near" side of the firewall, all traffic goes to the WAN okay because routing is functioning okay at the gateway and the internal nodes know how to get traffic there. The traffic coming back from the WAN must go thru the router, which knows how to get traffic back to those translated address (thanks to the static host routes).

What has not been addressed here is the machines between the firewall and the WAN router. When 203.238.108.80 wants to send a packet to 203.238.108.90 (one of your translated addresses), it needs to know where to go. Because .80 and .90 are on the same subnet (logically), .80 sends out an ARP request ("Who is 203.238.108.90?") looking for a MAC address to send to. Nothing is answering this request, so it fails.

What you should be doing instead of the static host routes on the router is "Proxy ARPs" on your firewall machine. See Routing and ARP Issues with NAT for more details.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.