Firewall Wizards mailing list archives
RE: NAT disappears
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 26 Feb 2001 17:41:37 -0500 (EST)
Can you clarify your meaning here on 'manual rules' rather then auto generated ones please? Thanks, Ron DuFresne On Mon, 26 Feb 2001, Keith.Morgan wrote:
I remember from my CCSE classes our instructor cautioning us against using automatically generated translation rules. He did not give specific reasons why, but hinted that he had seen some flakyness in the field. I personally cannot verify this, as I took his advice and have always used manual rules. -----Original Message----- From: Janz, George [mailto:gjanz () anteon com] Sent: Monday, February 26, 2001 8:23 AM To: 'firewall-wizards () nfr com' Subject: [fw-wiz] NAT disappears For some time we had a problem with address translation. In all cases, the problem has been with entities - both hidden and static, that have been in place for quite some time. This absolutely eliminates routing as a cause. We run 19 Firewalls - 4 NT and 15 Nokia 330s. Checkpoint on NT is at 4.1 SP3. Checkpoint on the Nokias is 4.1 SP2 with flows running on IPSO 3.3-FCS3. The remotes are loaded from a NT mgmt console also running 4.1 SP3. The problem exhibits itself as follows. We have remotes that hide multiple 10Dot address spaces. For no apparent reason, one of the hidden address spaces looses its ability to browse the Internet. Examination of traffic on the outside interface shows that the 10Dots are not being translated. It also exhibits itself for statically translated entities. For example - a previously availalbe OWA server is no longetr accessible. In lots of cases, pushing a policy to the failing remote fixes the problem. In some cases it does not. When it does not, the process of resusitating the remote is very painful. We have to unload the Firewall, FWstop, delete the state tables, FWstart. We have tried applying HOTfix 3701 but it seemed to make it worse, so we backed it off. We have tried making the connection table bigger, no luck here either. The only relief we get is when we eliminate all translation rules generated automatically. We have to do all address translation manually and this seems to stop the problem from occurring. This is an undesirable solution because it creates alot of extra work in setting up entities. Things we have tried but have not seemed to help: In objects.C we changed: :nat_limit (25000) nat_hashsize (16384) to :nat_limit (50000) :nat_hashsize (65536) Note: objects.C remains modified as above. We also tried increasing the size of the connections table in the table.DEF file to hashsize 65536 limit 50000. This also did not seem to help. Note: table.def was reset to 8192 limit 25000. Table.def has also been modified to keep VPN connection alive during a reload of a policy. Therefore, 'keep' was added after dynamic. connections = dynamic keep refresh sync expires TCP_START_TIMEOUT The above change was made a year ago on the 4.0 SP3 firewall mgmt cosole and carried forward to preserve the VPNs during a reload. The bottom line here is that the only change that has caused a positive impact was to make stop using automatically generated NAT rules and to do them manually. The VAR I use made this suggestion as well as the others above. We are both at our wits end trying to resolve this. If it proves out the using manual NAT rules versus autoNAT rules gets around the problem, I will go in this direction until some time in the future when I'll try autoNat again. I think the VAR has gone a good job as far as helping me, however, the problem goes unresolved and has had the unfortunate side effect to giving a previously almost perfectly performing network a very bad black eye. George Janz (860) 599-3910x2358 North Stonington (703) 246-0266 Fairfax gjanz () anteon com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- NAT disappears Janz, George (Feb 26)
- <Possible follow-ups>
- RE: NAT disappears Keith.Morgan (Feb 26)
- RE: NAT disappears R. DuFresne (Feb 27)