Sign in with
Sign up | Sign in
Your question

Symantec 100 VPN/Firewall NAT?

Last response: in Networking
Share
Anonymous
July 23, 2004 6:14:59 PM

Archived from groups: comp.security.firewalls (More info?)

Hi all,

We have a Symantec 100 VPN/Firewall utilising NAT on our network. The
problem we have is that NAT is stripping the internal network address
completely out of the header of the packet, and our web based application
shows the clients IP address from behind the Symantec as the public NAT ip
address. We have tried other firewalls, e.g. Linksys, Netgear and standard
Windows XP Pro machine and they display the private IP address e.g.
192.168.0.100. Is there anything I can change on the Symantec 100? Also if I
replace the Symantec with a Cisco Pix will I still have the same problem?

Thanks in advance,

Kev

More about : symantec 100 vpn firewall nat

Anonymous
July 23, 2004 6:15:00 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 23 Jul 2004 14:14:59 +0100, Kevin Howell spoketh

>Hi all,
>
>We have a Symantec 100 VPN/Firewall utilising NAT on our network. The
>problem we have is that NAT is stripping the internal network address
>completely out of the header of the packet, and our web based application
>shows the clients IP address from behind the Symantec as the public NAT ip
>address. We have tried other firewalls, e.g. Linksys, Netgear and standard
>Windows XP Pro machine and they display the private IP address e.g.
>192.168.0.100. Is there anything I can change on the Symantec 100? Also if I
>replace the Symantec with a Cisco Pix will I still have the same problem?
>
>Thanks in advance,
>
>Kev
>

Well, first you say that it _is_ stripping the local IP address out of
the headers, and then you say it isn't. I'm not sure which one is your
problem...

If the web based application is on the WAN side of the firewall and the
clients are on the LAN side of the firewall, then the web based
application will only see the public (WAN side) IP address of the
firewall rather than the private IP address of the clients. That's what
NAT does. It can be disabled, but then you'll need to renumber your LAN
so all the clients have public IP addresses. (This doesn't mean they'll
be exposed to the public, just that they are not in the private IP
address space).


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
July 23, 2004 6:15:00 PM

Archived from groups: comp.security.firewalls (More info?)

Kevin Howell wrote:

> Hi all,
>
> We have a Symantec 100 VPN/Firewall utilising NAT on our network. The
> problem we have is that NAT is stripping the internal network address
> completely out of the header of the packet, and our web based application
> shows the clients IP address from behind the Symantec as the public NAT ip
> address. We have tried other firewalls, e.g. Linksys, Netgear and standard
> Windows XP Pro machine and they display the private IP address e.g.
> 192.168.0.100. Is there anything I can change on the Symantec 100? Also if I
> replace the Symantec with a Cisco Pix will I still have the same problem?
>
> Thanks in advance,
>
> Kev

That is what NAT does - it strips out the internal IP and replaces it
with the public IP. ALL NAT firewalls will do that - be they symantec,
cisco, linksys, netgear, watchguard, sonicwall, firewall1, etc. etc.

The only way NOT to have that happen is to not use NAT. But then the
boxes accessing the intyernet all must have public IP's, not private IP's.
!