The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: NAT Based on Service

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Q:

I am looking for a way to help a customer of mine out of a jam. They are very interested in purchasing FW-1 to replace their current firewall system. What they need is a way to redirect tcp traffic based on destination tcp port, for example:

www.foo.com:80 and www.foo.com:90 are actually different machines inside the network.  They're currently using a proxy system that relays these connections to the proper hosts. To help in the transition to the new firewall, I need to be able to provide this functionality.  Does anyone know what software (or how FW-1) can achieve this?

A:

FireWall-1 does permit translating once destination port ("service") to another, or even redirecting to a different IP address based on service. There are some caveats on this:

  1. You can not redirect services to different IP addresses for any IPs that are associated with the firewall, i.e. they must be unique, static addresses. You can not, for instance, transparently redirect HTTP requests to the firewall's external IP address to an internal host. See below for ways to use other software to accomplish this because FireWall-1 can not do this.
  2. All hosts for which the IP/service based translation will occur must be off the same LAN segment. This is due to how FireWall-1 performs NAT.
  3. If multiple services for the same external IP address get routed to multiple internal servers based on service, you can have issues as the OS will attempt to send packets to the incorrect host at the MAC level.

IP/service translation works best when each service is given it's own externally accessable IP address. If you do not have the IP addresses to do it like this, then you still may be able to get it to work. In your example above, you could create a NAT rules in the Motif/Win95 GUI that looks like:

Original
Translated
No. Source Destination Service Source Destination Service
1 Any www.foo.com tcp90 Orig www-int.foo.com http

Where tcp90 a TCP service you create (port 90) and www-int.foo.com is your internal machine.

Your routing may need to be modified to handle this correctly (aside from the normal modifications needed for destination static translations). Let's assume you are using the static IP 206.86.0.5 as your public address. Ports 25, 80, and 21 each go to different servers (192.168.0.25, 192.168.0.80, and 192.168.0.21 respectively). If you simply had one route statement in your route table:

route add 206.86.0.5 192.168.0.25 1

Then if 192.168.0.25 goes down, it will effectively take down external access to the other servers. A workaround for this would be to add additional routes:

route add 206.86.0.5 192.168.0.25 1
route add 206.86.0.5 192.168.0.80 2
route add 206.86.0.5 192.168.0.21 3

Note that we are simply adding the other "translated" hosts as backup routes (with metric 2 and 3 respectively). The ideal would be to allocate a specific IP address for each service instead of using the same IP for more than one host.

In some cases, you can establish the static route to the internal IP of the firewall. This does not work on all platforms.

See also this doc from Check Point's Support Site.

Port Forwarding Firewall Ports

FireWall-1 4.1 SP3 and above can translate ports for TCP packets coming to the firewall's IP addresses. See NAT Based on Service with only one legal IP for more details.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.