As far as the e-commerce web server being accessible to your Customers, you will probably need a tunnel and filter to allow access to port 80 (HTTP) and port 443 (Secure HTTP).
Your DMZ may use RFC1918 addresses, and the GNAT Box will translate incoming requests directed at ports 80 and 443 of the GNAT Box EXT interface (or one of its aliases) to the same port on the web server. When the web server responds to the request, the GNAT Box will do the opposite translation so that the response appears to the client as if it had come from the GNAT Box EXT interface (or its alias). If you use an alias on the EXT interface to communicate with the web server, then you should use a static translation instead of a tunnel. If you don't, then the responses will appear to come from the GNAT Box EXT interface instead of coming from the alias, and may be blocked if your Customer is behind a firewall or proxy server. -----Original Message----- From: dennis custer [mailto:[EMAIL PROTECTED]] Sent: Monday, January 24, 2000 12:54 PM To: 'Michael W. Burden' Subject: RE: New install Configuration question Michael, We are gong to implement e-commerce. This will be on the DMZ web-server using NAT. This will work correct ? I don't know the port assignments yet, but thought I would ask. Dennis -----Original Message----- From: Michael W. Burden [mailto:[EMAIL PROTECTED]] Sent: Friday, January 14, 2000 11:24 AM To: dennis custer; [EMAIL PROTECTED] Subject: RE: New install Configuration question Send postings to: [EMAIL PROTECTED] Access the list archives at: http://www.gnatbox.com/gb-users/ ---------------------------------- I think that you have missed a crucial point. The GNAT Box performs network address translation, meaning that when a machine on your DMZ or Protected Network open a connection to a server on the External network (ie, the Internet), it looks to the server like the request came from the GNAT Box External IP address (or one of its aliases, depending on the configuration). Similarly, when someone on the External network attempts to access your site (ie, the Web Server or FTP server), they will open a connection to the GNAT Box External address (or one of its aliases). The Tunnel facility then allows you to direct traffic that arrives at a given address and port to the correct address and port of your server on the DMZ. RFC1918 (See: http://info.internet.isi.edu/in-notes/rfc/files/rfc1918.txt) set aside groups if IP addresses to be used either on networks that were behind Network Address Translators, or that were not connected to the Internet. Your best practice is to use these addresses for your DMZ and protected network. What you want to do is something like: "Your side" of the router: zzz.yyy.xxx.1 External GNAT Box address: zzz.yyy.xxx.2 GNAT Box PSN (DMZ) address: 192.168.1.1 Web Server address: 192.168.1.2 FTP Server address: 192.168.1.3 GNAT Box PRO address: 192.168.2.1 Hosts on Protected network: 192.168.2.2-254 Tunnel and filter connecting zzz.yyy.xxx.2 port 80 to 192.168.1.2 port 80 Tunnel and filter connecting zzz.yyy.xxx.2 port 21 to 192.168.1.3 port 21 All of the hosts on the DMZ will use 192.168.1.1 as their default route All of the hosts on the PRO will use 192.168.2.1 as their default route The DNS server that resolves your addresses to the outside world should respond with zzz.yyy.xxx.2 for both www.yourbiz.com and ftp.yourbiz.com (where yourbiz.com is your domain). If you simply MUST have different IP addresses on the EXT network for your Web Server and your FTP server (remember, they can be different IP addresses on your DMZ even if they have the same IP address on your EXT network because the tunnels will direct the traffic based on the port number!) then you can: 1. Create one or more "aliases" for the GNAT Box external address. 2. Create static IP mappings from the aliases to the servers (these will take the place of the tunnels in our previous example) 3. Adjust the destination IP addresses of the filters so that instead of filtering traffic destined for zzz.yyy.xxx.2, they filter port 80 (web) traffic destined for zzz.yyy.xxx.3 (the address that is mapped to your Web Server) and port 21 traffic destined for zzz.yyy.xxx.4 (the address that is mapped to your ftp server). 4. Configure DNS to return zzz.yyy.xxx.3 for www.yourbiz.com and zzz.yyy.xxx.4 for ftp.yourbiz.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of dennis custer Sent: Friday, January 14, 2000 10:35 AM To: '[EMAIL PROTECTED]' Subject: New install Configuration question Send postings to: [EMAIL PROTECTED] Access the list archives at: http://www.gnatbox.com/gb-users/ ---------------------------------- I have 1 class C address, which has to be configured on my Internet router Ethernet. Using the 3.0 GB I have a mail server, FTP server and a web server that need to be configured on the DMZ and use this same class C however, it will not allow me to use the IP class twice when configuring the NIC's. Any suggestions ? Dennis ---------------------------------------------- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe gb-users your_email_address in the body of the message ---------------------------------------------- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe gb-users your_email_address in the body of the message
