|
Posted by stephane nasdrovisky on November 10, 2004, 8:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
> I've heard that some firewalls / nat routers are capable of carrying
> out port translation based on source address.
>
> Example:
>
> * The public address of my border firewall is 50.60.70.80
> * I want to configure a nat/pat to forward port 22 from the public
> source address 30.30.30.80 to my inside device 192.168.5.1, and
> requests from all other public source addresses to be handled by the
> router itself (ie not natted).
>
> Apparently this is possible on Microsoft ISA & OpenBSD, but as far as
> I know
> Cisco can't do it, for example in cisco you would just type:
> ip nat inside source static tcp 192.168.5.1 22 interface
> <interfacename> 22
You could add an acl in order to accept only some addresses, the others
would be dropped, no ?
> and that would nat ALL traffic directed at port 22 of it's public ip
> address to the inside device 192.168.5.1, ie you can't differentiate
> based on source address.
>
> If anyone can write on their experience with this on Cisco, ISA,
> Checkpoint, OpenBSD or anything else that would be great.
With checkpoint, nat (as well as access/deny rules) is rules based, you
can define a rule which will nat src,dst,service to src2,dst2,service2.
src,dst & service can be 'any'.
You'll need a somewhat recent firewall-1 (ng fp 2?) in order to be able
to nat a single destination to various net segments (routing was done
before nat on older firewall-1, now routing is done after nat, the
packets are thus routed to the right segment).
On openbsd or linux, iptable seems very customisable.
| 
XML site map