FireWall-1 FAQ: NAT Based on Service
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Q:
I am looking for a way to help a customer of mine out of a jam. They are very interested in purchasing FW-1 to replace their current firewall system. What they need is a way to redirect tcp traffic based on destination tcp port, for example:
www.foo.com:80 and www.foo.com:90 are actually different machines inside the network. They're currently using a proxy system that relays these connections to the proper hosts. To help in the transition to the new firewall, I need to be able to provide this functionality. Does anyone know what software (or how FW-1) can achieve this?
A:
FireWall-1 does permit translating once destination port ("service") to another, or even redirecting to a different IP address based on service. There are some caveats on this: 1. You can not redirect services to different IP addresses for any IPs that are associated with the firewall, i.e. they must be unique, static addresses. You can not, for instance, transparently redirect HTTP requests to the firewall's external IP address to an internal host. See below for ways to use other software to accomplish this because FireWall-1 can not do this. 2. All hosts for which the IP/service based translation will occur must be off the same LAN segment. This is due to how FireWall-1 performs NAT. 3. If multiple services for the same external IP address get routed to multiple internal servers based on service, you can have issues as the OS will attempt to send packets to the incorrect host at the MAC level. IP/service translation works best when each service is given it's own externally accessable IP address. If you do not have the IP addresses to do it like this, then you still may be able to get it to work. In your example above, you could create a NAT rules in the Motif/Win95 GUI that looks like:|
|
|
|||||
| No. | Source | Destination | Service | Source | Destination | Service |
| 1 | Any | www.foo.com | tcp90 | Orig | www-int.foo.com | http |
