On Mon, 11 Dec 2000, Ben Nagy wrote:
>> -----Original Message-----
>> From: Magic Phibo [mailto:[EMAIL PROTECTED]]
>> Sent: Friday, 8 December 2000 11:58
>> To: Ben Nagy
>> Cc: [EMAIL PROTECTED]
>> Subject: RE: Routing Question
>>
>[...]
>> >Set up ther external NIC on the firewall to own that whole
>> 199.199.199.208
>>
>> Do you mean setting up eth0 being the external nic with
>> 199.199.199.210 and
>> aliases eth0:0, eth0:1 ... for 199.199.199.211-222 ?
>
>No - I just meant to not subnet that network - have the firewall netmask as
>a /28. Sorry - my language wasn't clear.
OK, but how does the router know, that it should route all addresses of the
official ip range thru the firewall ? Again, I don't have access to the router
and would like to do it without having to contact and ask and pay the provider.
I think, defining all the addressses to the external nic of the firewall would
solve the routing problem, wouldn't it ?
If I had access to the router, I would just configure a route for that whole
subnet with the firewall as gateway, and define the dmz nic of the firewall
as gateway on the dmz hosts. I think that should work ...
>> and what about the two dns servers ?
>
>If they need to be accessible from the outside then you need to put them in
>the DMZ and NAT for them. If they're for internal users then you can just
>put them in that LAN and let dynamic NAT take care of it.
>
>[...]
>> I suppose you mean doing source NAT for 192.168.1.x to
>> 199.199.199.210-215
>> and destination NAT from 221 (mail) to 172.16.31.1 and from
>> 222 (web) to
>> 172.16.31.2. Probably I should also do destination NAT from
>> 219 and 220
>> (prim./sec. dns servers) to let's say 172.16.31.3 and 4. Btw.
>> what do you mean
>> with NAT in two pools ?
>
>That's just to underline the fact that you can't overlap those NAT ranges.
>One range needs to be used for static mappings and another range needs to be
>used for dynamic NAT for the client LAN - it's bad to have those ranges
>intersecting.
OK, that's clear now, thanks.
>
>> One NAT pool is (210-215) for
>> internal clients and the
>> other ? Should I use the same pool for the dmz clients or the
>> remaining
>> addresses (216-218) ?
>
>What DMZ clients? You have static NAT mappings for everything in the DMZ
>that needs to get to the outside world. If the DMZ boxes actually need to
>initiate connections to the outside world then I would just harden them and
Yes, the dns servers are public. So they have to be in the dmz and of course,
have to initiate connections to the outside word.
>give them a full static IP NAT translation (ie don't just translate port 80
>or 25 or whatever).
OK, I think I have to do full static NAT for the dmz hosts, or at least for the
2 dns servers.
Thanks in advance for your answer !
Cheers
Phibo
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
