PC Anywhere: Allow, with NAT, under FW-1

["Cannella, Michael (ISS Southfield)" <mcannell () iss net>]

Sidestepping for the moment the safety/advisability of using pc anywhere
through your firewall...
 
Assumption 1:  Since you think ping should work, I'll assume ICMP is
permitted through the firewall (check if policy properties has "allow ICMP"
checked).  I would be very cautious with allowing it myself...
 
Assumption 2:  Your PC Anywhere service is correctly defined, you know the
network objects in your firewall, and you understand the implications of
doing what I'm suggesting.
 
 
 
You identified the real issue here:  the accessibility of your
workstation@work.
 
> My problem is my pc ip address is only valid to the internal network at
work not to the internet.
> My pc at home can not ping my pc at work. Therefore I can not see the
pcanywhere host 
> (workstation at work) from my remote pc (pc at home). 
 
 Your workstation@work has a reserved address.  It needs to have a legal
external address to get incoming traffic from the internet.  If that
workstation has internet access now, you either
 
     a)  are already using address translation (NAT)
     b)  only use proxied connections to the internet  (probably not, since
it only works for TELNET,FTP,HTTP,RLOGIN)
 
 
FW-1 can use static mode NAT or hide mode NAT  (the FW docs say 3 but work
with me here).
 
Static mode assigns one legal address externally for every reserved internal
address being translated.  The firewall directly substitutes the legal IP
for outgoing traffic and the reserved IP for incoming traffic. If you were
using this, you should have been able to ping your box from outside.
 
Since you cannot, you are probably using hide mode, which hides all internal
reserved addresses behind a single legal external address.  It assigns a
specific port to each outgoing connection, so it can distinguish traffic
from different internal hosts.  Two things about hide mode:
 
   1) It only works on outgoing connections, because the fw assigns ports to
outgoing traffic only.
   2) ICMP is an IP protocol apart from TCP, which doesn't use ports, and is
not supported by hide mode.
 
----solution that is only safe, really, if you have a fixed ip on
box@home---------
To make your situation work, you need to create firewall workstation objects
for your box@home and your workstation@work. For the workstation@work you
need to address translate it to a fixed legal external ip.  You can use
automatic NAT on the NAT tab of that workstation object, if you like.
 
Then create a rule to allow the pc anywhere service _only to your
workstation, and only from your ip address at home_. If you have a dynamic
ip address at home (or even if you do), the following solution is much safer
 
-----Much safer solution------
A much better solution would be to install SecuRemote on your home pc, and
create a rule for vpn.  This would let you have a dynamic address on
box@home, and allow it to act like a host on your network at work, plus
encrypt all of your traffic.  The rule to create it would look like this:
 
     src             dest            svc                action
track
----------------------------------------------------------------------------
---
you@any    internal.net     pc-any        client encrypt        long
 
 
You don't need to create an object for box@home, just a user object to
authenticate for SecuRemote.  Creating a firewall user and setting up
encryption and authentication are left as an exercise for the reader
(consult your FW-1 manuals).
 
 
----Michael Cannella,   Checkpoint Certified Security Instructor
----Internet Security Systems, eServices ( http://www.iss.net
<http://www.iss.net> ) 
----mcannella () iss net <mailto:----mcannella () iss net> 
 
 
 

-----Original Message-----
From: Louis Mattera [mailto:lmattera () cwtel com]

I am having a problem getting thru my firewall at work using pcanywhere 9.0.
 Iam using a cisco router attached to a fractional t1 at work. Attached to
the router is a checkpoint firewall. The ip addresses from the firewall out
ot the internet are valid tcp/ip address that can be ping'd from the
internet. Behind the firewall is my pc workstation running windows 98. I
have enabled the correct ports on the firewall for pcanywhere to work. 
My problem is my pc ip address is only valid to the internal network at work
not to the internet. My pc at home can not ping my pc at work. Therefore I
can not see the pcanywhere host (workstation at work) from my remote pc (pc
at home). What reading I have done so far tells me I need to do some kind of
address translation at the firewall but I can not figure it out? So I am
seeking help.
Hopefully I have provided enough information to whomever responds. 
The network behind the firewall is nt 4.0. Should have mentioned it sooner.
Thanks for your help. Please respond to my email lmattera () cwtel com.