The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: NAT and Encryption

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Q:

What sort of thing do I need to look out for on system that use both encryption and address translation? For example, let say I have the following network:

netA --- (le0) firewallA (le1) -- internet --- (le0) firewallB (le1) --  netB
        netA is illegal: 10.1.1.0
        le0: is 10.1.1.1
        le1: is 192.91.18.1

        netB is legal: 195.8.5.0
        le0: 195.8.1.1
        le1: 195.8.5.1

on firewallA: address translation

  • static: 10.1.1.2 <-> 192.91.18.2
  • hide: 10.1.1.3 to 10.1.1.255 -> 192.91.18.3

A:

Encryption Domain

On firewallA, encryption domain for firewallA needs to have both:

  • illegal addresses: network 10.1.1.0,
  • and legal addresses: network 192.91.18.0

On firewallB, the encryption domain for firewallA needs to have only the the legal address 192.91.18.0.

Encryption Rule

On firewallA, you should have two rules:

10.1.1.0        195.8.5.0       Encrypt         Long    Gateways
195.8.5.0       192.91.18.0     Encrypt         Long    Gateways

As with any kind of address translation, the inspection module see the packets as the originator of the connection sees it. So for the first rule takes care of outgoing connection and the second rule takes care of incoming connection.

On firewallB, you also need two rules:

192.91.18.0     195.8.5.0       Encrypt         Long    Gateways
195.8.5.0       192.91.18.0     Encrypt         Long    Gateways
Notes that firewallB only knows about legal adresses.

A General Commment

In general, for a connection from A on netA to B on netB:
  1. packets are encrypted by firewallA
  2. address is translated by firewallA
  3. packets are decrypted by firewallB 
  4. returned packets are encrypted by firewallB
  5. returned packets' address is translated by firewallA
  6. returned packets are decrypted by firewallA

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.