Re: [fw-wiz] NAT sanity check

On 11/2/07, David Steele <steeled3@xxxxxxxxx> wrote:
Hi,

I'm hoping someone can provide a sanity check on the following configuration
- i.e.: will it work?

I've got a /29 public network, addresses (say) .2 to .6, with default
gateway of .1. Can I place a Checkpoint firewall on .2 and have it use the
remaining addresses for NAT'd services on the other side of the firewall?

Yes not a problem use static arps on the firewall (cisco calls it proxy arp)
fw-1 will automagically create them for you as well but there have been issues
with this in the past (depends on OS and firewall revision)


I ask as I'm certain I've done this in the past, but I'm a few years out of
doing firewall work and my current technical contact reckons this won't work
- that the default gate will ARP for the address and the .2 firewall won't
respond; and that furthermore the only way to use the addresses would be to
put a different subnet between the default gateway and the firewall and
route the /29 network to the firewall (which I agree will work, but...)

Hmm time for a new technical contact...
I actually prefer the route based method but then I have address space
to burn a
/30 on.


Also, would it work if the firewall was a PIX?

Should do. I think the pix will even create them for you
if you configure nat rules.


TIA

--
_______________________________
David Steele

<insert sig line witticism here>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




--
jac
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Another Secure FTP thread -- Protection Levels
    ... gateway or proxy system to act as an FTP relay ... firewall) to the remote system. ... He would need to establish his FTP ... connections from the gateway to the remote system while blocking FTP ...
    (comp.protocols.kermit.misc)
  • Re: Another Secure FTP thread -- Protection Levels
    ... through your firewall that is not authorized. ... FTP either restrict what commands can be sent or logging each command ... gateway or proxy system to act as an FTP relay ... between his system and the remote system. ...
    (comp.protocols.kermit.misc)
  • Re: Another Secure FTP thread -- Protection Levels
    ... gateway or proxy system to act as an FTP relay ... between his system and the remote system. ... There would then be two FTP ... firewall) to the remote system. ...
    (comp.protocols.kermit.misc)
  • Re: Routing problems
    ... >definition of a default gateway, ... local, or reachable through QWorst, and QWorst knows how to distribute ... >central routing point for all clients on the .1 subnet to access any of the ... I mentioned that the firewall has very tight security, ...
    (comp.os.linux.networking)
  • Re: RRAS - Works on internal network, not past DMZ
    ... > VPN Users would connect directly to the Public interface of the RRAS box. ... The Firewall would need some additional configuration if you ... On the network connections configuration of the RRAS box, ... but the 'multiple gateway' error message has me spooked. ...
    (microsoft.public.windows.server.networking)