Symantec 100 VPN/Firewall NAT?

Archived from groups: comp.security.firewalls (More info?)

Hi all,

We have a Symantec 100 VPN/Firewall utilising NAT on our network. The
problem we have is that NAT is stripping the internal network address
completely out of the header of the packet, and our web based application
shows the clients IP address from behind the Symantec as the public NAT ip
address. We have tried other firewalls, e.g. Linksys, Netgear and standard
Windows XP Pro machine and they display the private IP address e.g.
192.168.0.100. Is there anything I can change on the Symantec 100? Also if I
replace the Symantec with a Cisco Pix will I still have the same problem?

Thanks in advance,

Kev
2 answers Last reply
More about symantec firewall
  1. Archived from groups: comp.security.firewalls (More info?)

    On Fri, 23 Jul 2004 14:14:59 +0100, Kevin Howell spoketh

    >Hi all,
    >
    >We have a Symantec 100 VPN/Firewall utilising NAT on our network. The
    >problem we have is that NAT is stripping the internal network address
    >completely out of the header of the packet, and our web based application
    >shows the clients IP address from behind the Symantec as the public NAT ip
    >address. We have tried other firewalls, e.g. Linksys, Netgear and standard
    >Windows XP Pro machine and they display the private IP address e.g.
    >192.168.0.100. Is there anything I can change on the Symantec 100? Also if I
    >replace the Symantec with a Cisco Pix will I still have the same problem?
    >
    >Thanks in advance,
    >
    >Kev
    >

    Well, first you say that it _is_ stripping the local IP address out of
    the headers, and then you say it isn't. I'm not sure which one is your
    problem...

    If the web based application is on the WAN side of the firewall and the
    clients are on the LAN side of the firewall, then the web based
    application will only see the public (WAN side) IP address of the
    firewall rather than the private IP address of the clients. That's what
    NAT does. It can be disabled, but then you'll need to renumber your LAN
    so all the clients have public IP addresses. (This doesn't mean they'll
    be exposed to the public, just that they are not in the private IP
    address space).


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  2. Archived from groups: comp.security.firewalls (More info?)

    Kevin Howell wrote:

    > Hi all,
    >
    > We have a Symantec 100 VPN/Firewall utilising NAT on our network. The
    > problem we have is that NAT is stripping the internal network address
    > completely out of the header of the packet, and our web based application
    > shows the clients IP address from behind the Symantec as the public NAT ip
    > address. We have tried other firewalls, e.g. Linksys, Netgear and standard
    > Windows XP Pro machine and they display the private IP address e.g.
    > 192.168.0.100. Is there anything I can change on the Symantec 100? Also if I
    > replace the Symantec with a Cisco Pix will I still have the same problem?
    >
    > Thanks in advance,
    >
    > Kev

    That is what NAT does - it strips out the internal IP and replaces it
    with the public IP. ALL NAT firewalls will do that - be they symantec,
    cisco, linksys, netgear, watchguard, sonicwall, firewall1, etc. etc.

    The only way NOT to have that happen is to not use NAT. But then the
    boxes accessing the intyernet all must have public IP's, not private IP's.
Ask a new question

Read More

Firewalls vpn Symantec Networking