Re: IP addressing on firewall

[horio shoichi]

"Manesh, Nasser (CAP, PTL)" wrote: > > > 1) Does a firewall act like a gateway (TCP router)? Can I put a 192.168 IP > address at the other side for example? > (For simplicity's sake, my answer assumes firewall as a router with packet filter.) Sure. As for addresses the only requirement is packets are routable between ISP's nearest router and the host which is happened to be assigned a global address. The intermediate ip addresses don't count. Also, any intermediate router may be equipped with its own packet filter. (BTW, the host itself may have its own filter, which is highly recommended for hosts on dmz). > 2) If (1) is possible, are there any advantages in putting "real, valid" IP > addresses on the internal side and the rest of the network? What's the > usual practice for IP addressing in such a scenario? Small advantage. If the intermediate device has to send icmp to the originator, it uses its ip address, whatever it is. Some people don't care, others think it's ugly. However, this problem can be overcome using NAT on the outermost router, if you wish and the router has NAT capability. > > 3) If I want to use NAT, should I use it on the firewall box or somewhere > else on the network? First note NAT feature may be used for various purposes and places. Above is one example. NAT you referred to is another, but by far common one. NAT software is usually tied to its specific filter software. So the natural place to put NAT rule is where you write main filter rules. But again this isn't a strong requirement. horio shoichi - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]