> -----Original Message-----
> From: Magic Phibo [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 8 December 2000 11:58
> To: Ben Nagy
> Cc: [EMAIL PROTECTED]
> Subject: RE: Routing Question
>
[...]
> >Set up ther external NIC on the firewall to own that whole
> 199.199.199.208
>
> Do you mean setting up eth0 being the external nic with
> 199.199.199.210 and
> aliases eth0:0, eth0:1 ... for 199.199.199.211-222 ?
No - I just meant to not subnet that network - have the firewall netmask as
a /28. Sorry - my language wasn't clear.
> and what about the two dns servers ?
If they need to be accessible from the outside then you need to put them in
the DMZ and NAT for them. If they're for internal users then you can just
put them in that LAN and let dynamic NAT take care of it.
[...]
> I suppose you mean doing source NAT for 192.168.1.x to
> 199.199.199.210-215
> and destination NAT from 221 (mail) to 172.16.31.1 and from
> 222 (web) to
> 172.16.31.2. Probably I should also do destination NAT from
> 219 and 220
> (prim./sec. dns servers) to let's say 172.16.31.3 and 4. Btw.
> what do you mean
> with NAT in two pools ?
That's just to underline the fact that you can't overlap those NAT ranges.
One range needs to be used for static mappings and another range needs to be
used for dynamic NAT for the client LAN - it's bad to have those ranges
intersecting.
> One NAT pool is (210-215) for
> internal clients and the
> other ? Should I use the same pool for the dmz clients or the
> remaining
> addresses (216-218) ?
What DMZ clients? You have static NAT mappings for everything in the DMZ
that needs to get to the outside world. If the DMZ boxes actually need to
initiate connections to the outside world then I would just harden them and
give them a full static IP NAT translation (ie don't just translate port 80
or 25 or whatever).
> Thanks VERY much for your help !
No worries.
>
> Cheers
> Phibo
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
