Yale -
I must have missed part of an earlier dialog, so I'm not
quite sure which firewall you're using, but since you mention
stateful packet filter I'll try to tailor my answer to that.
> Delivered-To: [EMAIL PROTECTED]
> From: "Ye, Xiaodong" <[EMAIL PROTECTED]>
>
> Thanks Jeffery and thanks all,
>
> Case1:
> LAN,
> 192.168.1.0-192.168.1.255
> PC1, 192.168.1.5
> PC2, 192.168.1.6
> stateful inspection firewall+NAT, internal: 192.168.1.1
> external: 12.2.2.1
> default config:
> Allow all from LAN to WAN, Deny all from WAN to LAN
> website with streaming video,
> 202.*.*.*
> PC1 and PC2 all want to get the streaming video content(like MEDIA PLAY,REAL
> VIDEO,QUICKTIME) from same internet website at the same time, as we all know
> that the streaming video all use the UDP as the first choice to send back
> the streaming data,then two streaming data back to the NAT
>
> Can firewall+NAT figure out which one is for PC1 and which one is for PC2?
> How could it realize,or what's the feature of the stateful inspection
> firewall +NAT could do this job?
Most (all?) stateful firewalls with NAT will also keep track of the outgoing
source port (even if they translate it), so when the connection comes
back from the server -- it will know where the connection maps.
Depending on how complex the video streaming protocol is that you are
using, it may be necessary to use special state engines on the stateful
firewall so that it can properly do NAT of any IP addresses found
in the data portion of the packet.
Stateful packet filters that understand that protocol will not typically
need any additional inbound UDP ports open.
>
>
> Case2: situation is mostly same as CASE1,only the website is a
> security site(like banking)
> If PC1 and PC2 want to connect to a same security site,definitely they will
> have the same external real ip address 12.2.2.1(assigned by NAT),Will that
> secrity site could figure out who is who and could let them login correctly?
Well, the security site would not be able to use IP address for
authentication (bad idea, anyways) since they are sharing one IP.
The remote site should be able to keep the connections "straight" , though
based on connection details and sockets connected to. The same way you
can have two connections to the same security site from the same computer
(but usually different user logins), you can also have two connections
with 2 machines sharing one IP address.
> Could NAT technology could sovle this kind of problem?
>
I don't see why not.
Valerie
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
