Summary : Solstice Firewall Config

From: Manjeet Rekhi (
Date: Tue Mar 26 1996 - 14:33:00 CST

Sorry for the late summary but I have yet to hear from Checkpoint so the
summary is sort of incomplete. I am putting the answers just after the
questions. Thanks to Hendrik Visage <Hendrik.Visage@VECTOR.CO.ZA> for
detailed response.

------------- ORIGINAL QUESTION WITH ANSWERS EMBEDDED ------------------------

Hello Managers, this question pertains to Netra/Firewall. I am depicting
below the diagram of our present n/w.[hiding all addresses, of course :)]

Router0(Cisco) bbb.bbb.bbb.1
   |bbb.bbb.bbb.0 ccc.ccc.ccc.0
 __|____ ________
| TR 0 | | TR 1 |
 -------\ /--------\
         \0______1/ \
          Sun 625i \
                            Router1(Cisco) ccc.ccc.ccc.1
                          Local Net (TR)
                           has a client - xxx.xx.x.101(unregistered)

Router0 -, bbb.bbb.bbb.1 (Token Ring interface)
TR 0 - Token Ring 0 (bbb.bbb.bbb.0)
Sun's IP address at TR0 - bbb.bbb.bbb.11
Sun's IP address at TR1 - ccc.ccc.ccc.11
TR1 - Token Ring 1 (ccc.ccc.ccc.0)
Router1 - ccc.ccc.ccc.1
Client - xxx.xx.x.101 (unregistered)

Firewall rule base is simply :
Source Destination Services Action
localnet Any Any Accept
Any Any Any Reject

localnet's ip address is ccc.ccc.ccc.0

fwxlconf table has a entry:
>From To Method 1st Translated address
xxx.xx.x.21 xxx.xx.x.240 FWXT_SRC_STATIC bbb.bbb.bbb.21

There is no host on TR1 (We will be putting mail,ftp, etc. servers later
here) and all hosts are behind Router1.

netstat -rn gives :

Dest. Gateway
xxx.xx.0.0 ccc.ccc.ccc.1 <<-- Entered manually
bbb.bbb.bbb.0 bbb.bbb.bbb.11
ccc.ccc.ccc.0 ccc.ccc.ccc.11
default bbb.bbb.bbb.1

Now the questions AND ANSWERS are :

Q1. The client does not work if we do not put 2nd entry manually. Our
understanding is that since translation table should translate client's
address to a registered address, this entry should not be there. Why does
Sun m/c needs this routing info ?

A1. Kernel is able to route only untranslated IPs so this is required.

Q2. We have plans to connect other internal (unregistered) networks too.
Does that mean we have to put their routing info also ?

A2. Yes

Q3. If answer to Q2 is yes, how can our network get connected to a host
outside whose registered address happens to be one of our internal addresses
? Firewall will never allow any packet to be received from that host because
of anti-spoofing.

A3. To use internal addresses mentioned in RFC 1597. These addresses are :

Unfortunately, not all of our internal addresses are falling in this range.
We are trying to find out a solution from Checkpoint.

Q4. What is the advantage/disadvantage of using FWXT_SRC_STATIC versus
FWXT_HIDE ? Does FWXT_HIDE gives only one (legal)IP address as compared to
FWXT_SRC_STATIC which provides a range ?

A4. FWXT_HIDE is useful when you have few or only one legal IP address. For
a session, it attaches a unique port# so it is a sort of dynamic. Nobody can
connect from outside.
FWXT_SRC_STATIC is used for range of addresses and for 2-way
communication(like mail server), it is used in conjunction with FWXT_DST_STATIC.

Q5. Can I have dynamic addressing translation instead of static ? FW
software gives only two options : FWXT_SRC_STATIC (with FWXT_DST_STATIC) and

A5. FWXT_HIDE is dynamic.

Manjeet Singh Rekhi

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:56 CDT