Firewall Wizards mailing list archives

Re: NAT and NetBios

From: roger nebel <roger () homecom com>
Date: Sat, 19 Dec 1998 11:23:32 -0500

define objects using their actual IP address (NAT is *not* required) for
each of the internal hosts that the securemote users need to reach and
check export and put those objects in a group (or not) and put the
objects or group in the encryption domain.  choose encapsulate
securemote.  (take a look at the userc.C topology file that is
downloaded to the securemote client after authentication, and, you do
want to also *unchoose* allow unauthenticated topology requests for
obvious reasons which you will see in the userc.C file if it can be
downloaded by anybody who does a create site against your firewall). 
find computer on the traget object's actual IP address (NAT is *not*
required).  create a shortcut to that object for easy access
thenceforth.  If the securemote client is 95/98 they will need to have
logged in as the domain user because of the way 95/98 caches logon
credentials.  if NT, the logon credentials will be presented to the
server object and the user will be prompted if that account or password
is not on that particular server.  (Note: this works fine with 4.0, with
3.0x YMMV)

or, write an inspect script to open the NBT header and translate the NBT
address on the fly.

Leslie Jay wrote:


Greetings,

  While I'm aware that NetBios over TCP (NBT) definitely is going to
  be a problem with most NAT products, in this particular case FW-1,
  because the host IP is contained in the payload which the NAT is
  not going to translate,  there isn't much resources about how to
  resolve it.

  I'm sure that having know about this situation for so long, some
  creative soul must have figured out how to overcome it. I'm sure
  it is quite impossible to avoid altogether. For some reason, some
  people just NEEDs to be able to login to the WinNT domain from
  anywhere in the world.

  To save myself some sleepless, hair-pulling nights, I hope
  someone can share their findings, or recommend a possible lead.

/Leslie

____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1

Attachment: vcard.vcf
Description: Card for Roger Nebel

Current thread:

NAT and NetBios Leslie Jay (Dec 18)
- Re: NAT and NetBios roger nebel (Dec 22)
- Re: NAT and NetBios Stefan Norberg (Dec 22)
- RE: NAT and NetBios Yakov Kravets (Dec 22)
- <Possible follow-ups>
- RE: NAT and NetBios ark (Dec 23)
- Re: NAT and NetBios Jan . Bervar (Dec 23)