The
DMZ machines are using static NAT, the internal 10-Net ones are using hide NAT.
I'm not sure how to tell if the NAT is occurring between the DMZ and 10-net... I
assumed it was universal, and therefore added the NAT address into the
anti-spoofing rules on the interface. Well, maybe not quite "assumed", things
quit working until I added the NAT addresses in :-)
As
for the necessity, I don't think it is, but I inherited the firewall setup as
is. Whether it was configured this way due to necessity or not is unknown to me.
I've been tightening up the rulebase one thing at a time and seeing what breaks.
I added the anti-spoofing on the interfaces and what broke was the access
to the ftp servers from inside the 10-net.
Regards,
Jim
-----Original Message-----Jim,
From: CryptoTech [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 09, 2001 9:50 AM
To: Gadrow, Jim
Cc: 'Ken McKinlay'; '[EMAIL PROTECTED]'
Subject: Re: [FW1] Problems with ftp
Two questions:
Is nat occurring between the DMZ and the internal net, if so, is this really necessary?
Second question, are you using static or hide nat for the client connections?Regards,
CryptoTech
