jason,
had used a similar setup (had to use nat three times) with cisco routers
with success. The router does proxy arp in my case. Cannot comment about
the sun/firewall1 stuff ...
hth
Reinhold
--
Reinhold Fischer [EMAIL PROTECTED]
CCNP/SunCSA/HP Certified Consultant for Network Management
On Tue, 17 Oct 2000, Jason Jin wrote:
>
> I have a situtation that I need to NAT twice, once on router,
> and then again on firewall-1. I can't figure out wheather this
> will ever work , here 's the our network diagram:
>
>
> WAN DMZ INTERNAL
> -----| Router |--------|Firwall-1|------|HostA|--
>
> we are assigned address space 32.x.x.192-32.x.x.207
> >from out ISP( WAN), since our DMZ is using 172.24.100.0/24
> the router is doing static NAT to this range. our internal network
> is 10.10.1.0/24.
>
>
> The IP address as folowes:
>
> Router = interface on DMZ 172.24.100.3 ( NATed)
> Firewall-1: interface (qfe0) on DMZ 172.24.100.2
> interface (qfe1) on internal 10.10.1.2
>
> HostA: since I need to access host A from WAN side,
> hostA need to be NAT'ed at two place ,
> at firewall-1 it NAT from 10.10.1.101 to 172.24.100.101
> at Router it is NAT from 32.x.y.101 to 172.24.100.101.
>
> I have setup the firewall rules , route and arp entry on firewall-1
> for HostA, and address translation work fine for hostA, if
> I connect from DMZ.
>
> Now here's my problem: if I want connnect from hostB from wan
> side, the packet destined for 32.x.y.101 , the destination
> first NATed to 172.24.100.101 , then pickup by firwall-1
> who's listen for arp request, NATed to 10.10.1.101 ?
> will this work?
>
> one question : when somebody the DMZ sent out a arp request
> for 172.24.100.101, the firwall-1 will respond , but will router
> respond too, since it is doing NAT for this address as well?
> any help is much appreciated.
>
>
> TIA,
>
> Jason
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
