The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: NAT Based on Service With Only One Legal IP

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

In the NG release, it is possible to do this because NAT can occur before routing. In the Global Properties, in the NAT section, make sure "Perform destination translation on the client side" is checked. Then you can create NAT rules similar to the following:



Source Destination Service Source Destination Service
Any firewall HTTP Original http-server Original
Any firewall FTP Original ftp-server Original

If you are running FireWall-1 4.1 SP3 and above, there are pre-defined http-mapped, ftp-mapped, smtp-mapped services, not to mention creating your own. This can only be done with TCP services. You will create two rules as follows (sample with http-mapped):

Source Destination Service Action
Any firewall http-mapped Accept
Any internal-web-server http Accept

Essentially, you need to first reference the firewall and "mapped" service in one rule, then the real host and service in a later rule.

The -mapped services are services of type other with the following in the match field: SRV_REDIRECT(firewall-port,internal-host-ip,host-port). You will need to modify this service to fit your configuration. You can also easily create your own "mapped" services since any simple TCP service is supported. Note that redirected FTP connections will require you to explicitly allow ftp-data connections.

SRV_REDIRECT services also require at least one NAT rule be present in your rulebase. The rule does not have to apply to the connection at all, it can even be a totally bogus rule. However, at least one NAT rule must be present.

If running FireWall-1 4.1 SP2 or before, there are various ways to accomplish more or less the same way, though it cannot be done with FireWall-1. In Linux, you can use ipchains with the port forwarding to do this. On other Unix platforms, you can use a variety of different plug proxy applications.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.