Re: [fw-wiz] Static NAT with a twist

Oliver,

Either I am misinterpreting your needs, or what you are asking for is pretty straightforward.

You are asking for a configuration where net1 addresses always go through untranslated, both for incoming sessions and for outgoing sessions.
At the same time, there will be an IP (or many) from net2 configured on the firewall, and everything that comes to that IP will get NATted to an IP on net1. All return traffic, of course, will be translated (or not) according to the original requests.

Looks like something any box can do, including PIX.

Juliao Duartenn
Director, Oblog Consulting

Oliver Humpage wrote:
<de-lurk>

Hallo all,

I was hoping to get some advice from people familiar with PIX firewall
configuration, to make sure one (e.g. the 515E) would do what I wanted it to
do before I buy it. I hope that's OK on this list.

I have a slightly complicated setup: essentially, there are 2 networks
coming into the server room, and one web server. The web server will be
hosting some sites on an IP on "net_1", and some on an IP on "net_2". It
currently has just one IP, on net_1.

I won't go into details, but letting the networks "mix" on the wires, VLANs,
or extra NICs are not solutions in my case. So it has to be done at the
border router.

What I'd really like is a router/firewall that can assume "net_1" is the
default, and pass packets to/from it, but if a packet comes in for net_2 it
rewrites it ("static NAT" essentially) to net_1.

So for instance:

Request comes in for net_1:

to net_1
------------- <---------- ---------- <--- packet to net_1
| Web server| | Router |
------------- ----------> ---------- ---> packet from net_1
from net_1


Request comes in for net_2:

to net_1
------------- <---------- ---------- <--- packet to net_2
| Web server| | Router |
------------- ----------> ---------- ---> packet from net_2
from net_1

Traffic originating from net_1 stays on net_1:

------------- ----------
| Web server| | Router |
------------- ---------> ---------- ---> packet from net_1
from net_1

It's this third one that will require some tricksiness, since otherwise I'd
just use static NAT and have done with it.

Many thanks for any help/advice you can offer as to what kit will do this.

Oliver.


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • [fw-wiz] Nortel Contivity firewall reboot issue
    ... we configured a firewall rule to filter out ... connections to the built-in web server on the ... which the interface and web server is up but the firewall ... Can this be avoided by any trivial configuration setting ...
    (Firewall-Wizards)
  • New Web Server in SBS2003 Domain
    ... putting a Win2003 Web Server into our SBS2003 domain. ... Since we are setting up a web server, I no longer want this 2 NIC ... configuration. ... Since we have a hardware firewall I'd like to connect that into one of the ...
    (microsoft.public.windows.server.sbs)
  • Re: Client End Firewalls
    ... it doesn't matter if the email client can't be tricked when the ... control such things on a Windows 98 box. ... > than getting the client firewall properly configured. ... > additional costs for configuration and configuration-changes? ...
    (Security-Basics)
  • Re: Cant Ping Windows 2003 server after R2 Upgrade..HELP!
    ... UPDATE* -- i've enabled to the windows firewall just to see what can be ... i then adjust the ICMP setting to allow ALL icmp. ... Enable 3 Allow outbound destination unreachable ... ICMP configuration for Local Area Connection 7: ...
    (microsoft.public.win2000.active_directory)
  • Re: R2 in-place upgrade bug ? ..HELP
    ... UPDATE* -- i've enabled to the windows firewall just to see what can be done ... Enable 3 Allow outbound destination unreachable ... Enable 9 Allow inbound router request ... ICMP configuration for Local Area Connection 7: ...
    (microsoft.public.windows.server.active_directory)