PC Anywhere: Allow, with NAT, under FW-1

Subject: PC Anywhere: Allow, with NAT, under FW-1
From: Cannella, Michael (ISS Southfield) (mcannelliss.net)
Date: Thu Jan 13 2000 - 17:04:31 CST

• Next message: Rick Smith: "RE: VPN Glossary On Line!"
• Previous message: Moore, James: "RE: reverse proxy using apache"
• Next in thread: James Wilson: "Blocking scanning from outside"
• Reply: James Wilson: "Blocking scanning from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sidestepping for the moment the safety/advisability of using pc anywhere
through your firewall...
 
Assumption 1: Since you think ping should work, I'll assume ICMP is
permitted through the firewall (check if policy properties has "allow ICMP"
checked). I would be very cautious with allowing it myself...
 
Assumption 2: Your PC Anywhere service is correctly defined, you know the
network objects in your firewall, and you understand the implications of
doing what I'm suggesting.
 
 
 
You identified the real issue here: the accessibility of your
workstationwork.
 
>My problem is my pc ip address is only valid to the internal network at
work not to the internet.
>My pc at home can not ping my pc at work. Therefore I can not see the
pcanywhere host
>(workstation at work) from my remote pc (pc at home).
 
 Your workstationwork has a reserved address. It needs to have a legal
external address to get incoming traffic from the internet. If that
workstation has internet access now, you either
 
     a) are already using address translation (NAT)
     b) only use proxied connections to the internet (probably not, since
it only works for TELNET,FTP,HTTP,RLOGIN)
 
 
FW-1 can use static mode NAT or hide mode NAT (the FW docs say 3 but work
with me here).
 
Static mode assigns one legal address externally for every reserved internal
address being translated. The firewall directly substitutes the legal IP
for outgoing traffic and the reserved IP for incoming traffic. If you were
using this, you should have been able to ping your box from outside.
 
Since you cannot, you are probably using hide mode, which hides all internal
reserved addresses behind a single legal external address. It assigns a
specific port to each outgoing connection, so it can distinguish traffic
from different internal hosts. Two things about hide mode:
 
   1) It only works on outgoing connections, because the fw assigns ports to
outgoing traffic only.
   2) ICMP is an IP protocol apart from TCP, which doesn't use ports, and is
not supported by hide mode.
 
----solution that is only safe, really, if you have a fixed ip on
boxhome---------
To make your situation work, you need to create firewall workstation objects
for your boxhome and your workstationwork. For the workstationwork you
need to address translate it to a fixed legal external ip. You can use
automatic NAT on the NAT tab of that workstation object, if you like.
 
Then create a rule to allow the pc anywhere service _only to your
workstation, and only from your ip address at home_. If you have a dynamic
ip address at home (or even if you do), the following solution is much safer
 
-----Much safer solution------
A much better solution would be to install SecuRemote on your home pc, and
create a rule for vpn. This would let you have a dynamic address on
boxhome, and allow it to act like a host on your network at work, plus
encrypt all of your traffic. The rule to create it would look like this:
 
     src dest svc action
track
----------------------------------------------------------------------------

---
youany    internal.net     pc-any        client encrypt        long
 
 
You don't need to create an object for boxhome, just a user object to
authenticate for SecuRemote.  Creating a firewall user and setting up
encryption and authentication are left as an exercise for the reader
(consult your FW-1 manuals).
 
 
----Michael Cannella,   Checkpoint Certified Security Instructor
----Internet Security Systems, eServices ( http://www.iss.net
<http://www.iss.net> ) 
----mcannellaiss.net <mailto:----mcannellaiss.net> 
 
 
 
-----Original Message-----
From: Louis Mattera [mailto:lmatteracwtel.com]
I am having a problem getting thru my firewall at work using pcanywhere 9.0.
 Iam using a cisco router attached to a fractional t1 at work. Attached to
the router is a checkpoint firewall. The ip addresses from the firewall out
ot the internet are valid tcp/ip address that can be ping'd from the
internet. Behind the firewall is my pc workstation running windows 98. I
have enabled the correct ports on the firewall for pcanywhere to work. 
My problem is my pc ip address is only valid to the internal network at work
not to the internet. My pc at home can not ping my pc at work. Therefore I
can not see the pcanywhere host (workstation at work) from my remote pc (pc
at home). What reading I have done so far tells me I need to do some kind of
address translation at the firewall but I can not figure it out? So I am
seeking help.
Hopefully I have provided enough information to whomever responds. 
The network behind the firewall is nt 4.0. Should have mentioned it sooner.
Thanks for your help. Please respond to my email lmatteracwtel.com.

• Next message: Rick Smith: "RE: VPN Glossary On Line!"
• Previous message: Moore, James: "RE: reverse proxy using apache"
• Next in thread: James Wilson: "Blocking scanning from outside"
• Reply: James Wilson: "Blocking scanning from outside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Sat Jan 15 2000 - 21:34:02 CST