here ya go...this should explain "mo better" what i am trying to say....
current: web.server<------| real ip#1 | |------->firebox/firewall mail.server<------| real ip#2 proposed: web.server<------| private ip#1 | |------->firebox/firewall mail.server<------| real ip#1,2 private ip#2 ----- Original Message ----- From: "Valerie Anne Bubb" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, December 14, 2001 1:29 PM Subject: Re: NAT w/ one to one mapping > > >Delivered-To: [EMAIL PROTECTED] > >From: "Aaron Jongbloedt" <[EMAIL PROTECTED]> > > > >what pros/cons would you have if you had one<-->one nat mapping for your > >servers ie: > > > >web.server 192.168.1.5<-->216.191.221.51 > >mail.server 192.168.1.6<-->216.191.221.60 > > > >so the firewall is doing NAT with one to one mapping...there for your > >servers are useable over the net, but they have private ip's because the > >firewall has the real ip addy and is forwarding the requests. so my > >question is what would be the difference of just letting the servers have a > >real addres but yet behind a fire wall. > > Without seeing a network diagram, I'm going to assume that your > firewall's public IP is something like 216.191.221.x. Also assuming that > your firewall is a routing type, and not bridging. So, by putting your > servers behind the firewall, you gain the protection of the firewall. > > You could also protect them with a host-based firewall, or > a bridging firewall and let them keep their real IPs. > > > Assuming you'll still want to access these from internal clients, > if you've got your servers on the same private network, the internal > clients will be able to directly access the servers w/out going > through the firewall. > > Personally, I would put the servers off of a third interface > and set up a DMZ. So they are still protected by your firewall, > and your internal network still has a layer of defense in case > those servers are compromised. > > >part two: i am already running NAT, can i also do this one<-->one mapping as > >well? > > That depends on what firewall you are using. It should only be a > matter of reconstructing your NAT rules to be more specific. > > > > >part three: on the machins that are being NATted (private ip's) what is the > >real address that is being spoofed? Or should i say, if i go to a website > >using a private ip machine, what address does the website think it is > >talking to? > > The public IP, though getting the private IP is not too difficult. > > > hth > > Valerie > > -- > Now appearing as Beth Beam in: "Dilemma at the Toll Road Inn" and > the Gaslighter Theater's Nearly World Famous Vaudeville Revue! > http://www.gaslighter.com/ Now - New Year's Eve. Tix: 408.866.1408 > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls