I can't understand why you could ping both addresses from outside NAT, either.
Problem is caused by how source ip of responce packets is translated. So, if
both external addresses are accepted, this means the pinger does not check
source address of responce packet. Is this really the case ? Where is firewall
for the pinger ?
If my understanding is correct (I hope so), this problem is solvable by making
NAT translation rule strictly one to one. In other words, incoming and outgoing
address translation must match.
The simplest way would be, considering NAT rule is one to one, let the old NAT
translate to the new ip. If this is impractical you must maintain two translations
in parallel. I.e., for one external address, give one internal address, and
for the other, give the other one. Paraphrasing this further, you need two
internal servers as mouss suggests, or a hosts with two internal ip addresses
known as ip alias. You must give the duality at least on the NAT on default
path.
horio shoichi
mouss wrote:
>
> I don't see how you can ping it using the second firewall!
> you have an "impossible" situation. when the web server responds to the client,
> it has one default route pointing to the first FW, so the response goes
> through this
> one. if you client is connected to both firewals, then it gets the response.
> otherwise, it won't. even when it gets the response, the route traversed by
> requests
> is different from that used by responses.
>
> the only way to get around this while keeping both "routes" is to use an
> application level
> proxy on the second firewall so that requests arriving at the web sevrer
> through the second RW
> have the IP addr of this firewall.
>
> otherwise, you'll need to set up 2 webserver :)
>
> but if your 2d FW works correctly, why all the headeachs. just change the
> default routes and
> forget about the first FW....
>
> At 17:44 18/10/00 -0700, David Loysen wrote:
> >I am having a problem that I can't quite figure out.
> >
> >Here's the setup.
> >
> >I am in the process of moving from one ISP to another. I use NAT and have a
> >web server on my private network that are accessible through the firewall by
> >using one to one NAT.
> >
> >So what I've done so far is bring in a second T-1 and firewall with the
> >intention of using both while I make changes to various client machines that
> >access my internal web server. Right now the web server has its default
> >gateway set to the first firewall.
> >
> >Now the real problem.
> >
> >My internal web server now has two valid external IP addresses. Both of
> >which I can ping. But I can only get the web page off of one of the IP's at
> >a time. The difference seems to be how the default gateway is set on the web
> >server.
> >
> >Is there a way to make the web server respond to both IP's.
> >
> >Thanks for any help or ideas 'cause I'm fresh out of both
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
