FireWall-1 FAQ: User Auth Doesn't Work With NAT
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Anytime the security servers intercept a connection, either for authentication or content security, FireWall-1 will originate the outgoing connection itself, at least in version 4.1 and before (NG does not appear to have this behaviour). Any previously-applied NAT rules will not take effect. This connection will traverse the address translation rulebase with it's own IP address as the source address. You would have to use the following NAT rules (Where Firewall-int is the IP of your internal interface):
|
|
|||||
Source | Destination | Service | Source | Destination | Service | |
1. | x.y.1.50 - x.y.255.255 | Any | Any | FireWall (H) | Orig | Orig |
2. | FireWall-int | a.b.c.4 | Any | FireWall-int (H) | x.y.1.4(S) | Orig |
3. | Any | a.b.c.4 | Any | Orig | x.y.1.4(S) | Orig |