Re: NAT

[Steve George <stevege () i-way net uk>]

Hi Josh,

On Fri, Jul 23, 1999 at 09:19:22AM -0000, Josh Sides wrote:
> Hello,
>
> I am trying to put a firewall up and my ISPs suggestions seem to conflict
> with my documentation. We are going to put a public web server behind the
> firewall.  From what I have read we have to use NAT so that people on the
> internet can access sites hosted on this server.

Ooh yum I hope you mean that the DMZ is on a third interface and not that the web server is really behind the firewal 
within your trusted network.  If so you'd better look forward to being cracked.

<SNIP>
> If the public IP of web server is not the same as the firewall's non-secure
> IP, then the router must be configured such that it routes traffic for the
> web server via the firewall's non-secure IP address.

Generally a firewall is a NAT device.  So often the external side of the FW has a public IP and the inside network uses 
private RFC 1918 compliant addresses.  Thus there is no reason for the router to also NAT since the firewall does this.

<SNIP>
> The DMZ subnet includes the firewall's non-secure IP address.  It also
> includes the IP addresses of any public servers that are placed outside the
> firewall.  The DMZ subnet must not be the same as, or overlap with the
> Reserve(NAT Translation Pool) subnet.
<SNIP>
> The router is currently configured at 209.51.10.128/25.  My ISP says that I
> do not have to do anything to the router for the firewall to work.  They
> also said the Public port of the firewall will respond to all of the IP
> addresses that are in the NAT pool.

OK the substance is here.  You seem to be trying to split your range up on the router whereas the ISP is saying that 
the public IP of the firewall can respond to any IP within the range.

In essense if you are trying to route a network through your firewall to somehwre else, such as a DMZ screen network, 
then you will have to subnet your range on the router and firewall and the network has to be routed through the 
firewall.

Both the suggested ways might work with different firewalls but which is better depends on the capabilities of your 
system.

However, right now it sounds like you and the ISP are talking at cross purposes.  As someone who works in an ISP I can 
say we/they are generally not clueless but it is quite hard to work out what a client is doing who may be far more 
familiar with their setup than you.  Hence, I suggest you get hold of them and try to get them to meet with you - a 
good diagram does wonders!

HTH,

Steve

-- 
"Hacker, terrorist, pornographer, drug trafficker," 
"That's it -- the four horsemen of the Apocalypse." 
 J.Granick referring to the US publics fears.