Nokia vs PIX
07 February 2002, 11:31 PM
#1
Scooby Regular
Thread Starter
Join Date: Jan 2002
Posts: 667
Likes: 0
Received 0 Likes
on
0 Posts
PAT? Not NAT? How many connections are you talking?
Nokia's are FreeBSD based, although they use checkpoint for the firewalling. I use a FreeBSD machine for NAT with IPFilter mapping connections into the 10000 <-> 30000 range, which is quite a few, I assume checkpoint can do similar, so you must be talking a lot if 20K simultaneous isn't enough
Hmm, bit of a read at cisco. Is PAT essentially the equivalent of the portmap statement in IPFilter, which essentially remaps outgoing connections source ports so they don't collide with source ports from other machines e.g.
map rl0 10.0.0.0/16 -> 111.111.111.111/32 portmap tcp/udp 10000:30000
which allows all the machines in the range specified to be mapped onto that one IP specified, though obviously you can change the /32 to map across multiple IPs. Still a lot of connections if you're doing more than 20K and that's not a hard limit in m case, just what I configured.
[Edited by Andrewza - 7/2/2002 11:44:00 PM]
Nokia's are FreeBSD based, although they use checkpoint for the firewalling. I use a FreeBSD machine for NAT with IPFilter mapping connections into the 10000 <-> 30000 range, which is quite a few, I assume checkpoint can do similar, so you must be talking a lot if 20K simultaneous isn't enough
Hmm, bit of a read at cisco. Is PAT essentially the equivalent of the portmap statement in IPFilter, which essentially remaps outgoing connections source ports so they don't collide with source ports from other machines e.g.
map rl0 10.0.0.0/16 -> 111.111.111.111/32 portmap tcp/udp 10000:30000
which allows all the machines in the range specified to be mapped onto that one IP specified, though obviously you can change the /32 to map across multiple IPs. Still a lot of connections if you're doing more than 20K and that's not a hard limit in m case, just what I configured.
[Edited by Andrewza - 7/2/2002 11:44:00 PM]
07 March 2002, 12:36 AM
#2
Scooby Regular
Join Date: May 1999
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
Deano,
Fraid not mate - certainly not in FW1 4.1 Sp6 and not on NG FP1 (havent got round to installing FP2 - but I know theres a lot of things been changed) - however remember doing PAT behind a single IP still gives you a good few tens of thousand actual connections.
While you may be able to to PAT with IPfilters, its definatly not supported by Nokia and not recomended. Last info I had is that IPSO was so far away from the origional FreeBSD/NetBSD that the majority of binaries etc will not run on it anyway.
As it happens just been putting in a few PIX535's and IP530's so am 95% sure.
I'm a fan of Firewall-1 (worked on PIX (535's rock !), Gauntlet, Raptor, etc etc) but we were joking in the office the other day and I recon everyone who works with Firewall-1 knows most of the frigs to make things work, rather than Checkpoint actually fixing any of the problems/'features' !!
For those who think the PIX O/S is a bad port of IOS, you want to see the CSS11000 WebOS - lets just say they are 'transitioning' still from Arrowpoint code !
Ids
[Edited by ids - 7/3/2002 12:38:20 AM]
Fraid not mate - certainly not in FW1 4.1 Sp6 and not on NG FP1 (havent got round to installing FP2 - but I know theres a lot of things been changed) - however remember doing PAT behind a single IP still gives you a good few tens of thousand actual connections.
While you may be able to to PAT with IPfilters, its definatly not supported by Nokia and not recomended. Last info I had is that IPSO was so far away from the origional FreeBSD/NetBSD that the majority of binaries etc will not run on it anyway.
As it happens just been putting in a few PIX535's and IP530's so am 95% sure.
I'm a fan of Firewall-1 (worked on PIX (535's rock !), Gauntlet, Raptor, etc etc) but we were joking in the office the other day and I recon everyone who works with Firewall-1 knows most of the frigs to make things work, rather than Checkpoint actually fixing any of the problems/'features' !!
For those who think the PIX O/S is a bad port of IOS, you want to see the CSS11000 WebOS - lets just say they are 'transitioning' still from Arrowpoint code !
Ids
[Edited by ids - 7/3/2002 12:38:20 AM]
02 July 2002, 09:17 AM
#3
Scooby Regular
Join Date: Mar 1999
Posts: 4,518
Likes: 0
Received 0 Likes
on
0 Posts
Simple question..
With a Cisco PIX (and indeed any Cisco IOS device) you can have "Pools" of addresses for PAT. (enabling large numbers of connections to be PATed). Last time I used FW-1 (NT or Solaris FW4.0 - I think) you couldn't. - You can have Pools for NAT or a single address for PAT (whcih limits the number of simultaneous) connections.
Anyone use the latest Nokias and FW-1 - Can they now do proper PAT pools ?
Thanks
Deano
With a Cisco PIX (and indeed any Cisco IOS device) you can have "Pools" of addresses for PAT. (enabling large numbers of connections to be PATed). Last time I used FW-1 (NT or Solaris FW4.0 - I think) you couldn't. - You can have Pools for NAT or a single address for PAT (whcih limits the number of simultaneous) connections.
Anyone use the latest Nokias and FW-1 - Can they now do proper PAT pools ?
Thanks
Deano
02 July 2002, 08:10 PM
#5
Scooby Regular
Join Date: Mar 1999
Posts: 4,518
Likes: 0
Received 0 Likes
on
0 Posts
Well most F/W do PAT or Hide addresses. Its does seem Cisco is unique in allowing a pool of addresses for PAT though.
We have a very large number of connections which need to be PATed and they easily cause problems with just one or two addresses.
If we move our PAT from PIX to Nokia we'll have to **** about using some addresses to "hide" http some for https etc even defining different Hide addresses for different subnet blocks. Very annoying. (But at least the Nokias might work)
Deano
We have a very large number of connections which need to be PATed and they easily cause problems with just one or two addresses.
If we move our PAT from PIX to Nokia we'll have to **** about using some addresses to "hide" http some for https etc even defining different Hide addresses for different subnet blocks. Very annoying. (But at least the Nokias might work
)Deano
03 July 2002, 08:34 AM
#6
Scooby Regular
Join Date: Mar 1999
Posts: 4,518
Likes: 0
Received 0 Likes
on
0 Posts
Its a large network and the previous gateway used 2 FW-1 each with a single "Hide" (PAT) address. At very busy peak periods (you know - England Matches, Tim Henman playing - that sort of thing 
) we were getting warnings from FW-1 about nor free ports. Caching (and then NATing the Caches) does reduce the number of simultaneous conections required.
Its frustrating as the current gateway has provision for clusters of Nokia FW-1 for the actual firewall functionality but for various reasons the NAT is done several layers further up by some PIXs.
We are pushing for a redesign to move the NAT/PAT down to the Nokias but it is not a trivial infrastructure so I was looking for some background.
IDS - You used Gig E with your PIXs ?
Many Thanks
Deano
) we were getting warnings from FW-1 about nor free ports. Caching (and then NATing the Caches) does reduce the number of simultaneous conections required.Its frustrating as the current gateway has provision for clusters of Nokia FW-1 for the actual firewall functionality but for various reasons the NAT is done several layers further up by some PIXs.
We are pushing for a redesign to move the NAT/PAT down to the Nokias but it is not a trivial infrastructure so I was looking for some background.
IDS - You used Gig E with your PIXs ?
Many Thanks
Deano
03 July 2002, 10:17 AM
#7
Scooby Regular
Join Date: May 1999
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
Deano
No not at the moment as we currently dont need it, due to it all be used for some ecommerce hosting site's with small ISP pipes out, well relitive to the speed of 100FDX that all the kit uses.
Design uses specific up/down links that are monitored and could easiily be upgraded to GigEth should we need to. The Nokia sides a bit more intesting as we used IP530's as the IP740's are stupid prices really.... Gig will come for them in time I guess.
Just been looking at NG FP1 - looks like the option is there to do static PAT to a port range, but as ever with Checkpoint the option does not seem to do anything. Hopefully in the next week or so I may get chance to look at FP2 - that may allow it to work .... Ill let you know
Ids
No not at the moment as we currently dont need it, due to it all be used for some ecommerce hosting site's with small ISP pipes out, well relitive to the speed of 100FDX that all the kit uses.
Design uses specific up/down links that are monitored and could easiily be upgraded to GigEth should we need to. The Nokia sides a bit more intesting as we used IP530's as the IP740's are stupid prices really.... Gig will come for them in time I guess.
Just been looking at NG FP1 - looks like the option is there to do static PAT to a port range, but as ever with Checkpoint the option does not seem to do anything. Hopefully in the next week or so I may get chance to look at FP2 - that may allow it to work .... Ill let you know
Ids
Trending Topics
03 July 2002, 01:09 PM
#8
Scooby Regular
Thread Starter
Join Date: Jan 2002
Posts: 667
Likes: 0
Received 0 Likes
on
0 Posts
IPFilter isn't FreeBSD specific, you can hook it into solaris if you so desire, still it's some kernel bits and probably not the best thing to try and bung into your shiny expensive nokia firewall
Easier to take a PC (Dell 2650 would be ideal, dual gigE interfaces integrated) and bung in GigE interfaces, install FreeBSD and make a firewall from it
Easier to take a PC (Dell 2650 would be ideal, dual gigE interfaces integrated) and bung in GigE interfaces, install FreeBSD and make a firewall from it
Thread
Thread Starter
Forum
Replies
Last Post
Andy Tang
Non Scooby Related
3
09 September 2001 12:35 AM