Re: [fw-wiz] IPv6

On 12/29/2010 11:33 AM, Martin Barry wrote:
$quoted_author = "Mathew Want" ;

Because I do not want my worktations to be routed to from the internet.

Then you want a stateful firewall, not NAT66.

Or do you have other reasons for wanting NAT66?

I see NAT66 helpful on eg site-to-site VPNs.

eg. Suppose that I have the prefix 2001:db8:85a3::/48 and I have some my
internet accessible machines on 2001:db8:85a3:3::/64 and some "internal"
machines on 2001:db8:85a3:2::/64 , 2001:db8:85a3:4::/64.

If the other side of the site-to-site VPN routes the whole
2001:db8:85a3::/48 over the VPN in order to access the "internal"
machines, they will try to access also the Internet accessible machines
over the site-to-site VPN, which could mean that they may bypass some
controls, or that I have to open tons of ACLs on various firewalls, not to mention the possible asymmetric routing issues.

If I could NAT66 the 2001:db8:85a3::/48 to a ULA::/48 space, I believe it would be much easier to manage, since the other side would have to route the ULA space to the VPN.

John Kougoulos

firewall-wizards mailing list