At 09:49 07/07/00 +0930, Ben Nagy wrote:
>[snipsnip]
>.......... If the firewall is maintaining a NAT mapping for an IP
>address that is not directly bound to an interface (ie NOT the firewall's
>own IP address) then it needs to remember to respond to ARP requests for
>this IP address.
>
>You can't solve this problem with routing unless you have something like the
>"fake" NAT mappings being in a different network, which is not what we were
>talking about (as far as I could see).
>[snip]
Here is the situation I understand when reading the original message:
packets sent to some address, say 20.1.2.3, should be passed by the
external router to the FW, which is then redirects them to some internal
host, say 10.1.2.3.
From the standpoint of the router, this is possible if one of the following
conditions is ok:
- the router knows the real or faked MAC address of 20.1.2.3.
- the router knows a route to this address.
Concerning the "different network" remark, the router and DMZ may be
in a different logical network (subnet would be more precise), even if they
are in the same physical one.
That said, I fully agree that the static route solution is not always possible
or easy, and that the more elegant solution is to bind the 20.1.2.3 to the
external interface of the firewall.
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
