is it possible to NAT & BI-NAT on aliases on a NIC?

Wed, 13 Jul 2005 10:08:55 -0700 

Hi,
I have a weird network configuration. My client has a private WAN connection provided by the local government. There are two different parties that are using the WAN to provide services to the client. One has put their own Cisco PIX to protect their servers. The other connection has no firewall. Neither of these can be trusted, so I want to put them behind an OpenBSD firewall. The Cisco 1721 providing the WAN has a "generic" set of firewall rules that the government isn't willing to change (20,000 sites on the priate WAN, understandable to not want custom configs at each site!). 


To get traffic out onto the WAN, I need to NAT it to very specific IP 
addresses.  The catch is there are there are two different IP addresses 
they need the traffic NAT'd to.  It is based on the source IP and 
destination IP.



I THINK the way to do this is to have an alias on the interface, and 
have the pf.conf do the NAT'ing appropriately.  The alias is required so 
that the returning packets will be accepted by the correct interface.



So, is it possible to do a "binat" and a "nat" to addresses that are 
interface aliases?  I'm still at the "on paper" design stages, so I 
can't test... the new firewall is not even onsite yet, so I do not have 
"hands on".



And yes, I know about VLAN's, but that's not the way that the client 
wants to go...


Here is an attempt at some ascii art!

Internet
  |
  |(INTA)
+-----+                                     +---+
|  O  |10.2.60.4 (INTB) +----------------|  | S |  +-------------------+

|  p  |-----------------| Cisco PIX 506E |--| W |--| Cisco 1721 Router 
|-T1 to WAN
|  e  |        10.2.60.2+----------------|  | I |  +-------------------+ 
A.B.C.D
|  n  |                                     | T |  10.2.60.1/32          
E.F.G.H
|  B  |                                  +--| C |  Default Gateway       
I.J.K.L
|  S  |                                  |  | H |                        
M.N.O.P
|  D  |                                  |  +---+                        
Q.R.S.T

|     |                                  |
| 3.7 |                                  |
|  C  |                                  |
|  u  |10.2.60.5 (INTC)                  |
|  r  |----------------------------------+
|  r  |alias 10.2.60.28
|  e  |alias 10.2.60.29
|  n  |
|  t  |
|     |
+-----+
  |(INTD)
  |
Internal Network
192.168.11.0/24


Routes as follows:
Traffic from 192.168.11.A/32 (via INTD) going to A.B.C.D/32
   through INTC BINAT to 10.2.60.29/32
Traffic from INTD to E.F.G.H through INTC NAT to 10.2.60.28/32
Traffic from INTD to I.J.K.L through INTC NAT to 10.2.60.28/32

Traffic from INTD going to M.N.O.P through INTB NAT
Traffic from INTD going to Q.R.S.T through INTB NAT

Thanks,
Steve


PS.  I know INTC could just have 10.2.60.28 (or 29) as it's IP, but I 
want to keep things consistant
























					Reply via email to