Re: need advice on a NAT issue.

[<hesselsp () ashaman dhs org>]

Thankyou for your email.

I beleive I do need state sharing, otherwise when one of the routers dies
all the active sessions are lost.

A simple router won't do NAT for those weird protocols, such as
NetMeeting(which places the src ip inside the data portion of the
packet).  Unless I am wrong, and the routers do support those protocols.

The only thing that checkpoint would get me is support for weird
protocols.  The only thing that stonebeat would get me is the state
sharing...

What do you think?
--Paul

On Fri, 26 Jan 2001 Jeffery.Gieser () minnesotamutual com wrote:

> #I need to build a highly available, full function network.
>
> #I was thinking about buying FW-1 and (Stonebeat|Rainwall), but it seems to
> #be that this is a pretty expensive solution.
>
> #Considering I don't plan on doing ANY filtering, what do I get from
> #FW-1 and (Stonebeat|Rainwall)?
>
> Absolutely nothing.  First of all, Firewall-1 is a pretty expensive
> solution to just use for NAT.  Firewall-1 is supposed to be used for
> filtering so if you are not going to do any filtering don't waste your
> money on a firewall.
>
> #-high availability
> #-state sharing
> #-load balancing
> #-weird protocol support(ie netmeeting)
>
> Why don't you just use a couple of load-balanced routers.  If all you need
> this for is NAT then routers are the best way to go.  They can easily be
> made high availability.  You don't need state sharing because all the do is
> route traffic.  If it runs on IP (or SNA, IPX, ect.) it can be routed by a
> router.
>
> On the freeware side of things you can through together a couple of <insert
> your favorite opensource OS here **cough**BSD**cough**> boxes and let then
> do NAT.  Once again since you don't need to filter, they can just route the
> traffic.
>
> Regards,
> Jeffery Gieser

-- 
--Paul

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards