FireWall-1 FAQ: NAT Based on Service With Only One Legal IP
Last Modified: 10 Nov 2001
Please note: This content was from when I was operating my FireWall-1
FAQ site, which I stopped operating in August 2005. For some reason people
still have links to this stuff on the Internet that people are still clicking
on.
I am making this information available again AS IS. Given how
old this information is, it is likely wildly inaccurate. I have no plans to
update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where
this information is still relevant to you, do yourself a favor and upgrade to
a more recent release. If you happen to be running a current release
and the information is useful, it's by happenstance :)
In the NG release, it is possible to do this because NAT can occur before routing. In the Global Properties, in the NAT section, make sure “Perform destination translation on the client side” is checked. Then you can create NAT rules similar to the following:
|
Original</td>
|
Translated</td>
</tr>
|
| Source |
Destination |
Service |
Source |
Destination |
Service |
| Any |
firewall |
HTTP |
Original |
http-server |
Original |
| Any |
firewall |
FTP |
Original |
ftp-server |
Original |
</table>
If you are running FireWall-1 4.1 SP3 and above, there are pre-defined
http-mapped, ftp-mapped, smtp-mapped services, not to mention creating your own.
This can only be done with TCP services. You will create two rules as follows
(sample with http-mapped):
| Source |
Destination |
Service |
Action |
| Any |
firewall |
http-mapped |
Accept |
| Any |
internal-web-server |
http |
Accept |
Essentially, you need to first reference the firewall and "mapped"
service in one rule, then the real host and service in a later rule.
The -mapped services are services of type other with the following in the
match field: SRV_REDIRECT(firewall-port,internal-host-ip,host-port). You will
need to modify this service to fit your configuration. You can also easily
create your own "mapped" services since any simple TCP service is
supported. Note that redirected FTP connections will require you to explicitly
allow ftp-data connections.
SRV_REDIRECT services also require at least one NAT rule be present in your
rulebase. The rule does not have to apply to the connection at all, it can even
be a totally bogus rule. However, at least one NAT rule must be present.
If running FireWall-1 4.1 SP2 or before, there are various ways to accomplish
more or less the same way, though it cannot be done with FireWall-1. In Linux,
you can use ipchains with the port forwarding to do this. On other Unix
platforms, you can use a variety of different plug proxy applications.
