Stopping Certain IP Address and Port Translation



  • Greetings,
    Long time reader, first time poster….

    I have an SSG550 with the latest and greatest firmware installed. My implementation of our firewall has always been rather simplistic.

    However, I have made some changes in my network that has placed my management servers in a different domain than my clients. The management servers are in the DMZ while the clients are in the Trusted domain.

    Everything works pretty good for the most part. I do have one problem. When I initiate certain communication from a managment server to one of our clients. The communication fails because one it return trip the source port is translated to another port that is not used for that protocol.

    For example, from the managment server I try to establish a X Windows session to one of my Solaris 10 systems. I use an XDMCP query to establish the session. XDMCP uses port 177. the following is what is seen in the logs.

    [XDMCP Query, Server(DMZ) to Client(Trust)]
                      [DMZ to Trust]
    SRC:PORT                    DST:Port                      Translated SRC:PORT                  Translated DST:PORT
    192.168.1.10:4594        10.0.0.20:177                {Remains the same}                  {remains the same}

    [XDMCP Query Response, Client(Trust) to Server(DMZ)]
                      [Trust to DMZ]
    SRC:PORT                    DST:Port                      Translated SRC:PORT                  Translated DST:PORT
    10.0.0.20:177              192.168.1.10:4594          192.168.1.2:7796                        192.168.1.10:4594

    So my problem is that on the return path (from Trust to DMZ) the source port which should be 177 is changed to some random number. When the packet reaches the destination with that port number it does not know what to do with it and thus discards it. I have looked at using tunnels but it seems those are typically from network device to network device and have some level of IPSec involved. Thus I do not believe that is a viable option. Is there anyway to make some “trusts” between certain IP addresses and ports?

    Any help on this issue is greatly appreciated.



  • Ok so you making your device to work in route mode.

    Did you not try the option that I gave you….

    Create a MIP on the DMZ interface map that MIP to the Trust side Client (10.0.0.20), and then from DMZ try hitting the MIP IP.



  • Thanks for the reply. Your first two points are correct.

    After initiating the RTFM protocol, I figured that was the issue. Now I have to go through and change all of the policies to policiy based NATs instead of NAT’ing the interface.

    Again, thanks alot for your reply.



  • From your scenario this is what I gather, please correct me if I am wrong in my understanding.

    1. Think your Trust interface is in NAT mode.
    2. If your Trust interface is in NAT mode, then any of your traffic that has source from Trust and destined to DMZ would automatically get NATTED, that is what I see happening from your get session output.

    If the 2 points which I have written above are correct. Then I can suggest you to try below 2 options.

    a) create a MIP on the DMZ interface map that MIP to the Trust side Client (10.0.0.20), and then from DMZ try hitting the MIP IP.

    OR

    b) Put your Trust interface in Route mode and use Policy based NAT’s to take care for your normal Trust to Untrust NAT’s. That would sort out this problem of yours.


 

21
Online

38.4k
Users

12.7k
Topics

44.5k
Posts