Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Checkpoint Firewall-1 NG FP3 HFA327, manual static NAT and ClusterXL

from [Jimmy Jutwreten] Network Security [Permanent Link]
Subject: Checkpoint Firewall-1 NG FP3 HFA327, manual static NAT and ClusterXL
Date: Fri, 23 Sep 2005 08:25:04 +0200 
Hi experts,

I have a problem. (don't we all :-)  )
I use the above mentioned version runing on Linux (RH7.3). I'm running
ClusterXL in HA mode.
The problem I have is that when I make manual static NAT rules
(procedure described below) and the cluster fails so the passive node
becomes active, the static NAT address does not generate a gratitious
arp. So connections to that NAT ip-address does not fail over to the new
active node!

These are the hosts and ip-addresses
internal = the internal host that needs to be accessed
nat-internal = the nat address for the internal host that the external
host contacts
external = the external host that needs access to the internal host


I set up static NAT as follows:
NAT rules:
ORIGINAL PACKET                           TRANSLATED PACKET
Source   Destination   Service             Source            
Destination    Service
-----------   -------------------   -----------             
-----------             ------------------    ------------
external  nat-internal   any                   original           
internal (s)     any
internal   external        any                   nat-internal (s)
original          any 

Proxy arp is configured on the interface with
# echo 1 > /proc/sys/net/ipv4/conf/ethx/proxy_arp

Static routes are added to get it all to work
# ip r a nat-internal via internal

Global Properties are setup as follows:
Automatic NAT rules
[x]   Allow bi-directional NAT
[x]   Translate destination on client side
[x]   Automatic ARP configuration

Manual NAT rules
[x]   Translate destination on client side

Have tcpdumped and there is no gratitious arp sent for nat-internal when
the cluster fails to the passive node. Gratitious arp is sent for the
cluster interface.

I have also used the Automatic NAT rules (but I am unable to configure
that with a specific source) and that works fine.
Is there not anyone who has had this problem before me, I find it very
hard to believe. Anybody know of a way around this?
The other thing is, I'm planning shortly to upgrade to NG AI R55 and
wonders if the problem is solved in that version. (I will test this, but
if anybody knows, please tell me)

I have searched the Checkpoint Knowledge base for answers but there i
nothing mentioned about this. Some patches exist for FP3 and problems
with gratitious arp and the cluster addresses, but none address the
problem with manual static NAT failover.

regards
/jimmy



-- 
****************************************
Jimmy Jutwreten
mailto:jimmy@mnemonic.se

mnemonic AB
Finlandsg. 56, 164 74 Kista
phone: +46-8-444 89 90
web: http://www.mnemonic.se
PGP key: 0x9D2D9E26
PGP keyserver: http://wwwkeys.pgp.net
***************************************
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Firerack Firewalls, Craig Rodenberg
Next by Date:  Honours Project - Ideas?, misa
Previous by Thread:  Firerack Firewalls, Craig Rodenberg
Next by Thread:  Re: Checkpoint Firewall-1 NG FP3 HFA327, manual static NAT and ClusterXL, gmail
Indexes:  [Date] [Thread] [Top] [All Lists]