here ya go...this should explain "mo better" what i am trying to say....
current:
web.server<------|
real ip#1 |
|------->firebox/firewall
mail.server<------|
real ip#2
proposed:
web.server<------|
private ip#1 |
|------->firebox/firewall
mail.server<------| real ip#1,2
private ip#2
----- Original Message -----
From: "Valerie Anne Bubb" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, December 14, 2001 1:29 PM
Subject: Re: NAT w/ one to one mapping
>
> >Delivered-To: [EMAIL PROTECTED]
> >From: "Aaron Jongbloedt" <[EMAIL PROTECTED]>
> >
> >what pros/cons would you have if you had one<-->one nat mapping for your
> >servers ie:
> >
> >web.server 192.168.1.5<-->216.191.221.51
> >mail.server 192.168.1.6<-->216.191.221.60
> >
> >so the firewall is doing NAT with one to one mapping...there for your
> >servers are useable over the net, but they have private ip's because the
> >firewall has the real ip addy and is forwarding the requests. so my
> >question is what would be the difference of just letting the servers have
a
> >real addres but yet behind a fire wall.
>
> Without seeing a network diagram, I'm going to assume that your
> firewall's public IP is something like 216.191.221.x. Also assuming that
> your firewall is a routing type, and not bridging. So, by putting your
> servers behind the firewall, you gain the protection of the firewall.
>
> You could also protect them with a host-based firewall, or
> a bridging firewall and let them keep their real IPs.
>
>
> Assuming you'll still want to access these from internal clients,
> if you've got your servers on the same private network, the internal
> clients will be able to directly access the servers w/out going
> through the firewall.
>
> Personally, I would put the servers off of a third interface
> and set up a DMZ. So they are still protected by your firewall,
> and your internal network still has a layer of defense in case
> those servers are compromised.
>
> >part two: i am already running NAT, can i also do this one<-->one mapping
as
> >well?
>
> That depends on what firewall you are using. It should only be a
> matter of reconstructing your NAT rules to be more specific.
>
> >
> >part three: on the machins that are being NATted (private ip's) what is
the
> >real address that is being spoofed? Or should i say, if i go to a
website
> >using a private ip machine, what address does the website think it is
> >talking to?
>
> The public IP, though getting the private IP is not too difficult.
>
>
> hth
>
> Valerie
>
> --
> Now appearing as Beth Beam in: "Dilemma at the Toll Road Inn" and
> the Gaslighter Theater's Nearly World Famous Vaudeville Revue!
> http://www.gaslighter.com/ Now - New Year's Eve. Tix: 408.866.1408
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
