Firewall Wizards mailing list archives
Re: NAT
From: Steve George <stevege () i-way net uk>
Date: Tue, 27 Jul 1999 10:27:27 +0100
Hi Josh, On Fri, Jul 23, 1999 at 09:19:22AM -0000, Josh Sides wrote:
Hello, I am trying to put a firewall up and my ISPs suggestions seem to conflict with my documentation. We are going to put a public web server behind the firewall. From what I have read we have to use NAT so that people on the internet can access sites hosted on this server.
Ooh yum I hope you mean that the DMZ is on a third interface and not that the web server is really behind the firewal within your trusted network. If so you'd better look forward to being cracked. <SNIP>
If the public IP of web server is not the same as the firewall's non-secure IP, then the router must be configured such that it routes traffic for the web server via the firewall's non-secure IP address.
Generally a firewall is a NAT device. So often the external side of the FW has a public IP and the inside network uses private RFC 1918 compliant addresses. Thus there is no reason for the router to also NAT since the firewall does this. <SNIP>
The DMZ subnet includes the firewall's non-secure IP address. It also includes the IP addresses of any public servers that are placed outside the firewall. The DMZ subnet must not be the same as, or overlap with the Reserve(NAT Translation Pool) subnet.
<SNIP>
The router is currently configured at 209.51.10.128/25. My ISP says that I do not have to do anything to the router for the firewall to work. They also said the Public port of the firewall will respond to all of the IP addresses that are in the NAT pool.
OK the substance is here. You seem to be trying to split your range up on the router whereas the ISP is saying that the public IP of the firewall can respond to any IP within the range. In essense if you are trying to route a network through your firewall to somehwre else, such as a DMZ screen network, then you will have to subnet your range on the router and firewall and the network has to be routed through the firewall. Both the suggested ways might work with different firewalls but which is better depends on the capabilities of your system. However, right now it sounds like you and the ISP are talking at cross purposes. As someone who works in an ISP I can say we/they are generally not clueless but it is quite hard to work out what a client is doing who may be far more familiar with their setup than you. Hence, I suggest you get hold of them and try to get them to meet with you - a good diagram does wonders! HTH, Steve -- "Hacker, terrorist, pornographer, drug trafficker," "That's it -- the four horsemen of the Apocalypse." J.Granick referring to the US publics fears.