Firewall Wizards mailing list archives
PC Anywhere: Allow, with NAT, under FW-1
From: "Cannella, Michael (ISS Southfield)" <mcannell () iss net>
Date: Thu, 13 Jan 2000 18:04:31 -0500
Sidestepping for the moment the safety/advisability of using pc anywhere through your firewall... Assumption 1: Since you think ping should work, I'll assume ICMP is permitted through the firewall (check if policy properties has "allow ICMP" checked). I would be very cautious with allowing it myself... Assumption 2: Your PC Anywhere service is correctly defined, you know the network objects in your firewall, and you understand the implications of doing what I'm suggesting. You identified the real issue here: the accessibility of your workstation@work.
My problem is my pc ip address is only valid to the internal network at
work not to the internet.
My pc at home can not ping my pc at work. Therefore I can not see the
pcanywhere host
(workstation at work) from my remote pc (pc at home).
Your workstation@work has a reserved address. It needs to have a legal external address to get incoming traffic from the internet. If that workstation has internet access now, you either a) are already using address translation (NAT) b) only use proxied connections to the internet (probably not, since it only works for TELNET,FTP,HTTP,RLOGIN) FW-1 can use static mode NAT or hide mode NAT (the FW docs say 3 but work with me here). Static mode assigns one legal address externally for every reserved internal address being translated. The firewall directly substitutes the legal IP for outgoing traffic and the reserved IP for incoming traffic. If you were using this, you should have been able to ping your box from outside. Since you cannot, you are probably using hide mode, which hides all internal reserved addresses behind a single legal external address. It assigns a specific port to each outgoing connection, so it can distinguish traffic from different internal hosts. Two things about hide mode: 1) It only works on outgoing connections, because the fw assigns ports to outgoing traffic only. 2) ICMP is an IP protocol apart from TCP, which doesn't use ports, and is not supported by hide mode. ----solution that is only safe, really, if you have a fixed ip on box@home--------- To make your situation work, you need to create firewall workstation objects for your box@home and your workstation@work. For the workstation@work you need to address translate it to a fixed legal external ip. You can use automatic NAT on the NAT tab of that workstation object, if you like. Then create a rule to allow the pc anywhere service _only to your workstation, and only from your ip address at home_. If you have a dynamic ip address at home (or even if you do), the following solution is much safer -----Much safer solution------ A much better solution would be to install SecuRemote on your home pc, and create a rule for vpn. This would let you have a dynamic address on box@home, and allow it to act like a host on your network at work, plus encrypt all of your traffic. The rule to create it would look like this: src dest svc action track ---------------------------------------------------------------------------- --- you@any internal.net pc-any client encrypt long You don't need to create an object for box@home, just a user object to authenticate for SecuRemote. Creating a firewall user and setting up encryption and authentication are left as an exercise for the reader (consult your FW-1 manuals). ----Michael Cannella, Checkpoint Certified Security Instructor ----Internet Security Systems, eServices ( http://www.iss.net <http://www.iss.net> ) ----mcannella () iss net <mailto:----mcannella () iss net> -----Original Message----- From: Louis Mattera [mailto:lmattera () cwtel com] I am having a problem getting thru my firewall at work using pcanywhere 9.0. Iam using a cisco router attached to a fractional t1 at work. Attached to the router is a checkpoint firewall. The ip addresses from the firewall out ot the internet are valid tcp/ip address that can be ping'd from the internet. Behind the firewall is my pc workstation running windows 98. I have enabled the correct ports on the firewall for pcanywhere to work. My problem is my pc ip address is only valid to the internal network at work not to the internet. My pc at home can not ping my pc at work. Therefore I can not see the pcanywhere host (workstation at work) from my remote pc (pc at home). What reading I have done so far tells me I need to do some kind of address translation at the firewall but I can not figure it out? So I am seeking help. Hopefully I have provided enough information to whomever responds. The network behind the firewall is nt 4.0. Should have mentioned it sooner. Thanks for your help. Please respond to my email lmattera () cwtel com.
Current thread:
- PC Anywhere: Allow, with NAT, under FW-1 Cannella, Michael (ISS Southfield) (Jan 15)
- Blocking scanning from outside James Wilson (Jan 18)
- Re: Blocking scanning from outside Chris Brenton (Jan 19)
- Re: Blocking scanning from outside Joe Matusiewicz (Jan 19)
- Blocking scanning from outside James Wilson (Jan 18)