[fw-wiz] Static NAT with a twist


Hallo all,

I was hoping to get some advice from people familiar with PIX firewall
configuration, to make sure one (e.g. the 515E) would do what I wanted it to
do before I buy it. I hope that's OK on this list.

I have a slightly complicated setup: essentially, there are 2 networks
coming into the server room, and one web server. The web server will be
hosting some sites on an IP on "net_1", and some on an IP on "net_2". It
currently has just one IP, on net_1.

I won't go into details, but letting the networks "mix" on the wires, VLANs,
or extra NICs are not solutions in my case. So it has to be done at the
border router.

What I'd really like is a router/firewall that can assume "net_1" is the
default, and pass packets to/from it, but if a packet comes in for net_2 it
rewrites it ("static NAT" essentially) to net_1.

So for instance:

Request comes in for net_1:

to net_1
------------- <---------- ---------- <--- packet to net_1
| Web server| | Router |
------------- ----------> ---------- ---> packet from net_1
from net_1

Request comes in for net_2:

to net_1
------------- <---------- ---------- <--- packet to net_2
| Web server| | Router |
------------- ----------> ---------- ---> packet from net_2
from net_1

Traffic originating from net_1 stays on net_1:

------------- ----------
| Web server| | Router |
------------- ---------> ---------- ---> packet from net_1
from net_1

It's this third one that will require some tricksiness, since otherwise I'd
just use static NAT and have done with it.

Many thanks for any help/advice you can offer as to what kit will do this.


Oliver Humpage
ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444

firewall-wizards mailing list

Relevant Pages

  • RE: [fw-wiz] fun problem - possibly not possible
    ... dmz2 on a PIX firewall. ... everything we've done already - how would you> folks do it? ... Use static NAT for the address/alias where Network Dispatcher Advisors are ...
  • Requesting a certificate for a Cisco PIX
    ... I am trying to request a certifcate for a Pix Firewall via SCEP. ... Windows 2000 Enterprise Root CA. So far i didn't have success. ... "Certificate Services denied request 8315 because Access is denied. ...
  • Re: Nessus Scan
    ... There's a PIX Firewall between the server and the border router. ... When I check the log files on the server I see request made by the scanning vendor so the firewall isn't blocking the IP address. ...