Netscreen NAT problem - Firewalls

This is a discussion on Netscreen NAT problem - Firewalls ; hello, I'm having a problem in replacing a Checkpoint firewall with a Netscreen. The diagram is as follows: ISP (real ip 202.44.55.143) Router (10.0.0.5) (10.0.0.4) Firewall (192.168.1.1) Client (192.168.1.x) Before the replacement, the firewall can perform the NAT so that ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Netscreen NAT problem

  1. Netscreen NAT problem

    hello,

    I'm having a problem in replacing a Checkpoint firewall with a
    Netscreen. The diagram is as follows:

    ISP <--> (real ip 202.44.55.143) Router (10.0.0.5) <--> (10.0.0.4)
    Firewall (192.168.1.1) <-----> Client (192.168.1.x)

    Before the replacement, the firewall can perform the NAT so that the
    source IP from the client shall be in the real IP like 202.44.55.143
    (using the Hide IP of the Checkpoint NAT option), and then it's being
    able to route outside.

    After the replacement using Netscreen, it does the NAT using the IP
    address of the untrust interface 10.0.0.4, and hence, unroutable.

    For the Netscreen, is there any kind of forcing the NAT to use the
    source IP of NAT-ed packets as using the 202.44.55.143? I've checked
    out the Netscreen documents that having a feature of DIP (or MIP
    whatsoever), but those DIP/MIP only allow me to set another IP that
    still within the subnet of the untrusted interface (so set to 10.0.0.8
    is OK, 202.44.55.143 is not allowed)

    The router is from the ISP and looks it's not NAT-ed, evidenced that
    by putting a notebook PC replacing the firewall like this, the PC is
    unable to connect outside.

    ISP <--> (real ip 202.44.55.xx) Router (10.0.0.5) <--> (10.0.0.4)
    Notebook PC

    There is another obvious solution that we scrap the ISP's router, and
    let the new Netscreen does the PPPoE, but there may be some political
    issue that I could't do it.

    Thanks for any help!


  2. Re: Netscreen NAT problem

    idoltman wrote:
    > I'm having a problem in replacing a Checkpoint firewall with a
    > Netscreen. The diagram is as follows:
    >
    > ISP <--> (real ip 202.44.55.143) Router (10.0.0.5) <--> (10.0.0.4)
    > Firewall (192.168.1.1) <-----> Client (192.168.1.x)
    >
    > Before the replacement, the firewall can perform the NAT so that the
    > source IP from the client shall be in the real IP like 202.44.55.143
    > (using the Hide IP of the Checkpoint NAT option), and then it's being
    > able to route outside.


    You're connecting two private networks, so there's no need to do double
    NAT. Do NAT on the router, and simply route on the firewall.

    > After the replacement using Netscreen, it does the NAT using the IP
    > address of the untrust interface 10.0.0.4, and hence, unroutable.
    >
    > For the Netscreen, is there any kind of forcing the NAT to use the
    > source IP of NAT-ed packets as using the 202.44.55.143? I've checked
    > out the Netscreen documents that having a feature of DIP (or MIP
    > whatsoever), but those DIP/MIP only allow me to set another IP that
    > still within the subnet of the untrusted interface (so set to 10.0.0.8
    > is OK, 202.44.55.143 is not allowed)
    >
    > The router is from the ISP and looks it's not NAT-ed, evidenced that
    > by putting a notebook PC replacing the firewall like this, the PC is
    > unable to connect outside.
    >
    > ISP <--> (real ip 202.44.55.xx) Router (10.0.0.5) <--> (10.0.0.4)
    > Notebook PC


    Umm... something is not right here. If the setup you initially described
    has worked before the router *must* have done NAT, otherwise you
    wouldn't have been able to use private IP addresses for the connection
    between router and firewall. Check the router's configuration. And don't
    do double NAT.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. Re: Netscreen NAT problem

    [..]
    >
    >I'm having a problem in replacing a Checkpoint firewall with a
    >Netscreen. The diagram is as follows:
    >
    > ISP <--> (real ip 202.44.55.143) Router (10.0.0.5) <--> (10.0.0.4)
    >Firewall (192.168.1.1) <-----> Client (192.168.1.x)
    >
    >Before the replacement, the firewall can perform the NAT so that the
    >source IP from the client shall be in the real IP like 202.44.55.143
    >(using the Hide IP of the Checkpoint NAT option), and then it's being
    >able to route outside.
    >
    >After the replacement using Netscreen, it does the NAT using the IP
    >address of the untrust interface 10.0.0.4, and hence, unroutable.
    >
    >For the Netscreen, is there any kind of forcing the NAT to use the
    >source IP of NAT-ed packets as using the 202.44.55.143? I've checked
    >out the Netscreen documents that having a feature of DIP (or MIP
    >whatsoever), but those DIP/MIP only allow me to set another IP that
    >still within the subnet of the untrusted interface (so set to 10.0.0.8
    >is OK, 202.44.55.143 is not allowed)
    >
    >The router is from the ISP and looks it's not NAT-ed, evidenced that
    >by putting a notebook PC replacing the firewall like this, the PC is
    >unable to connect outside.
    >
    > ISP <--> (real ip 202.44.55.xx) Router (10.0.0.5) <--> (10.0.0.4)
    >Notebook PC
    >
    >There is another obvious solution that we scrap the ISP's router, and
    >let the new Netscreen does the PPPoE, but there may be some political
    >issue that I could't do it.


    So I understand...the external interface of the firewall
    is 10.0.0.4 but you want the egress IPs to be 202.x ?

    Typically the ISP gives you a routable range and this is what the
    firewall <-> router uses. Then you NAT to the egress on the firewall
    (same as Checkpoint (ugh!) hide NAT). The external router has
    another, different range for the physical layer.

    So why are you using 10.x ? This make things difficult.

    You could probably solve this by doing policy based NAT on all
    outbound backets. So from Trust to Untrust..
    Policies > (trust to untrust) > Edit > Advanced > Destination
    Translation - and fill in the blanks.

    http://www.juniper.net/techpubs/software/screenos/
    Grab the NAT volume.

    alan

  4. Re: Netscreen NAT problem


    yeah, this isn't right. the router shouldn't be on the private network
    unless IT is doing the NAT. and if the trusted interface on it is a
    private IP like you show, it would have to be doing the NAT. and if it
    is, then the netscreen shouldn't be doing any NAT.
    have one or the other do the inbound and outbound NAT, not both.

    -Tony


+ Reply to Thread