On incoming traffic (Internet to your site), have each firewall NAT the source IP address (that is to say, the client's IP address) to a single distinct IP address (many-to-one, or PAT) that is either (a) the firewall's internal interface or (b) an address that internal routing identifies as accessible via that distinct firewall. Reply traffic will be routed back to the appropriate firewall, reverse NAT'd, and sent on.
For example:
[ISP 1] [ISP 2]
| |
| |
+=====================+ +=====================+
| 50.50.50.50 | | 60.60.60.60 |
|---------------------| |---------------------|
| firewall router # 1 | | firewall router # 2 |
|---------------------| |---------------------|
| 100.100.100.50 | | 100.100.100.60 |
+=====================+ +=====================+
| |
| |
+--------------------------------------+
| service network : 100.100.100.0 / 24 |
+--------------------------------------+
|
|
+===================+
| 100.100.100.100 |
|-------------------|
| web server |
+===================+
Let's suppose a user comes in with a request for your web server:
Source: 5.5.5.5 (Client # 1)
Dest: 100.100.100.100 (Web Server)
Via: 50.50.50.50 (Firewall Router # 1, external iface)
You then have Firewall Router # 1 NAT the traffic so that it is:
Source: 100.100.100.50 (Firewall Router # 1, internal iface)
Dest: 100.100.100.100 (Web Server)
Simultaneously you have a second user request:
Source: 6.6.6.6 (Client # 2)
Dest: 100.100.100.100 (Web Server)
Via: 60.60.60.60 (Firewall Router # 2, external iface)
You then have Firewall Router # 1 NAT the traffic so that it is:
Source: 100.100.100.60 (Firewall Router # 2, internal iface)
Dest: 100.100.100.100 (Web Server)
Reply traffic for 5.5.5.5 will be routed via 100.100.100.50, and 6.6.6.6 will be routed via 100.100.100.60.
This assumes that you are able to NAT the source to the internal iface of the firewall. If you can't, then assign bogus private IP addresses and NAT to that, with routing in place identifying the private IP addresses as accessible via the appropriate firewall.
For example:
[ISP 1] [ISP 2]
| |
| |
+=====================+ +=====================+
| 50.50.50.50 | | 60.60.60.60 |
|---------------------| |---------------------|
| firewall router # 1 | | firewall router # 2 |
|---------------------| |---------------------|
| 192.168.1.1 | | 192.168.1.2 |
|---------------------| |---------------------|
| 100.100.100.50 | | 100.100.100.60 |
+=====================+ +=====================+
| |
| |
+--------------------------------------+
| service network : 100.100.100.0 / 24 |
+--------------------------------------+
|
|
+===================+
| 100.100.100.100 |
|-------------------|
| web server |
+===================+
Let's suppose a user comes in with a request for your web server:
Source: 5.5.5.5 (Client # 1)
Dest: 100.100.100.100 (Web Server)
Via: 50.50.50.50 (Firewall Router # 1, external iface)
You then have Firewall Router # 1 NAT the traffic so that it is:
Source: 192.168.1.1 (Firewall Router # 1, bogus private address)
Dest: 100.100.100.100 (Web Server)
Simultaneously you have a second user request:
Source: 6.6.6.6 (Client # 2)
Dest: 100.100.100.100 (Web Server)
Via: 60.60.60.60 (Firewall Router # 2, external iface)
You then have Firewall Router # 1 NAT the traffic so that it is:
Source: 192.168.1.2 (Firewall Router # 2 bogus private address)
Dest: 100.100.100.100 (Web Server)
Reply traffic for 5.5.5.5 will go out via 100.100.100.50, and 6.6.6.6 will go out via 100.100.100.60. This requires that you setup routing on the Web Server host that identifies that 192.168.1.1 is accessible via 100.100.100.50, and that 192.168.1.2 is accessible via 100.100.100.60. Note that neither the 192.168.1.1 or 192.168.1.2 addresses are actually in use or assigned to any interfaces anywhere.
This all assumes that you don't care/need to deal with BGP or similar load-balancing between ISP scenarios.
Greg S.
-----Original Message-----
From: David Smart [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 18, 2002 3:02 PM
To: Firewall
Subject: Routing to two NAT / firewall gateways ?
I am upgrading my internet service and (temporarily) have Internet connectivity from two ISPs. Each ISP interfaces to my LAN via its own firewall router - with filtering - with NAT enabled - and some holes poked through for my exposed services. It may be obvious in retrospect (but it wasn't to me) that the external services only work when their host points to that ISPs router as default gateway.
That is: I can telnet to ISP-2s external IP address and get a telnet session to my inside host only if the inside host running telnetd points to ISP-2s router as default. But then I cannnot make any use of ISP-1 from that host.
Is there a service or configuration I could employ to make the routing work with two NAT gateways?? If this was addressed before - please just point me there.
Thanks,
Dave
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
