Hi, Thanks for the explanation and links to earlier posts. I will be reading them closely.
And now I know I _can_ have a tunnel from PSN to PRO. cheers, adrian On 27 Mar 2002 at 9:02, Mike Burden wrote: > The tunnel tells the GNAT Box that any traffic directed > to AAA.BBB.CCC.DDD/PPP should be forwarded to > EEE.FFF.GGG.HHH/ppp > > Where: > AAA.BBB.CCC.DDD is a GNAT Box address or alias > PPP is the port number that the traffic is directed to > (21=ftp, 23=telnet, 80=http, 110=pop3, etc) > EEE.FFF.GGG.HHH is the IP address of the server > that the traffic should be forwarded to > ppp is the port number on the server that the traffic > should be forwarded to. This is usually the same > as PPP but doesn't have to be (but that's an > advanced topic) > > > The filter tells the GNAT Box who is allowed to use the > tunnel. Remote Access Filters *ALWAYS* control access > to a GNAT Box address or alias. > > > Example: > Your GNAT Box has the EXT address: 203.44.223.1 > You have added an alias: 203.44.223.2 > Your DNS server resolves www.yourcompany.com as 203.44.223.1 > Your DNS server resolves ftp.yourcompany.com as 203.44.223.1 > Your DNS server resolves news.yourcompany.com as 203.44.223.2 > > Your webserver is on the PSN with the address 192.168.1.2 > Your ftp server is on the PSN with the address 192.168.1.3 > Your news server runs on the same server as ftp > > You would create the following under NAT -> Inbound Tunnels: > Protocol From IP Address Port To IP Address Port > -------- --------------- ----- --------------- ----- > TCP 203.44.223.1 80 192.168.1.2 80 > TCP 203.44.223.1 21 192.168.1.3 21 > TCP 203.44.223.2 119 192.168.1.3 119 > > For each of these tunnels, you can either check the "Automatic > Accept All" box, or you can create a Remote Access Filter to > control access. If you choose to create a filter, you would > create one with a "Destination" IP address of 203.44.223.1 > (for the first two tunnels) or 203.44.223.2 (for the "news" > tunnel). > > When a host on the Internet makes an HTTP connection to > 203.44.223.1, the connection is forwarded to 192.168.1.2 > (this happens invisibly to the user on the Internet). > > If a host on the Internet makes an FTP connection to the > same address, the connection is forwarded to 192.168.1.3. > > > A tunnel can also be used to tunnel from the GNAT Box > PSN address (or an alias on the PSN interface) to an > address on the PRO. You want to use this with caution, > however, because every tunnel you create from the PSN > to the PRO is a vulnerability. How big of a vulnerability > depends on what you are tunneling. Tunneling SMTP > from your mailserver on the DMZ to the mailserver on > the PRO is probably an acceptable risk to get the > functionality you want. Tunneling NETBIOS is (in my > opinion) always an unacceptable security risk. > > > Here's a bit of a tutorial on NAT, Tunnels, and Filters > that I posted to this group on 1/14/2000: > http://www.gnatbox.com/gb-users/2000-01/msg00071.html > > As long as I'm at it, here's one on why you need two > DNS servers when you have NAT: > http://www.gnatbox.com/gb-users/1999-11/msg00029.html > > > The index for the archive (which you may need if you > want to read the messages I was replying to) is: > http://www.gnatbox.com/gb-users/ > > > Mike Burden > Lynk Systems > http://www.lynk.com > (616)532-4985 > [EMAIL PROTECTED] > > > > > -----Original Message----- > > From: Adrian Bolzan [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, March 26, 2002 10:28 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [gb-users] IP Pass through question > > > > > > > > > > On 26 Mar 2002 at 8:18, Mike Burden wrote: > > > > > Just a quick add-on note: > > > > > > In general, when you want to pass inbound traffic > > > (EXT to PSN or PSN to PRO), don't think IP Passthrough, > > > think tunnel and filter. It's a very rare case when > > > you actually need IP Passthrough. > > > > > > > I did not think I could use a filter that allowed access > > directly from > > the PSN to the PRO. In fact, I just tried it and it did not > > work. > > > > I do not understand the need for a tunnel (by my > > understanding of > > "tunnel" I assume an Inbound Tunnel is meant). Do I need > > to set one up > > on the PSN NIC to allow traffic directed at the PSN NIC on > > a certain > > port/ports to be tunnelled to a server on the PRO network? > > > > And, can the PSN NIC support Aliases? > > > > This has been an area that I have never fully understood- > > how to get > > traffic directly from the PSN to the PRO, without going via > > the EXT > > NIC. > > > > Any assitance would be appreciated (e.g. what i have to > > set up). > > > > thanks, > > > > adrian > > > > > > > > -------------------------------------------------------------------- > > - To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe > > to the digest version first unsubscribe, then > > e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to > the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archive of the last 1000 messages: http://www.mail-archive.com/[email protected]
