Re: Reverse NAT and Masquerade Question

From: Steven J. Hathaway (
Date: 06/24/03

  • Next message: Barry: "Newbie setting up a pop server"
    Date: Mon, 23 Jun 2003 21:53:51 -0700

    Allen Kistler wrote:

    > Steven J. Hathaway wrote:
    > > This is a network feasibility question.
    > >
    > > Do you know which of the following firewalls can perform a reverse
    > > address translation?
    > >
    > > Checkpoint Firewall-1
    > > Netfilter (IPtables)
    > > CISCO IOS Firewall
    > > CISCO PIX Firewall
    > >
    > > The issue is to map a specific external IP address or transport domain
    > > address onto a
    > > local network IP address. The result of which would allow a workstation
    > > or server on the
    > > local network to establish a session to a remote host by virtue of
    > > addressing data to the
    > > virtualized local IP address.
    > >
    > > [snip]
    > They can all do one-to-one NAT. Depending upon how your ISP connection
    > is configured, you may also need to set up proxy arp for the "virtual"
    > addresses (if they're truly virtual).
    > One-to-one means just that. One external address to one internal
    > address. There's no dynamic remapping like many-to-one (10.x internal
    > with a single external). So if you want a bunch of machines to be
    > visable externally, you need that many IP addresses, generally.
    > (Sometimes you can overlap if each internal machine offers different
    > services, but that's getting a bit trickier than your question.)

    My problem is not the forward-nat addressing that firewall devices implement.

    Reverse-nat is independent of the number of IP addresses a service provider
    gives you for communications. Dial-up point-to-point connections with
    dynamic IP assignment should also work.

    A trivial example of what I am looking for is to allow local machines to
    access an external DNS server without having to know its public IP address
    or DNS name. All the local machines need to do is to place in their
    configuration files the virtual local IP address that is NAT translated
    to some external DNS.

    Then when the remote DNS fails - functionality can be restored by creating
    another reverse=nat mapping to a functional DNS elsewhere. I then do not
    have to reconfigure the local machines for DNS access.

    My true requrements go beyond this trivial DNS example.

    - Steve Hathaway

  • Next message: Barry: "Newbie setting up a pop server"

    Relevant Pages

    • Re: Can Not Ping By Name
      ... >>> Make sure there's no firewall packaged with the VPN client. ... >>DNS server is the same physical server as the Exchange, ... > Network problem solving - general advice: ...
    • Re: Reverse NAT and Masquerade Question
      ... >> This is a network feasibility question. ... >> CISCO IOS Firewall ... A trivial example of what I am looking for is to allow local machines to ... or DNS name. ...
    • Re: Browsing on Some Computers on My Network
      ... I did receive a DNS error message regarding DNS tables during ... The firewall issue resulted in this behavior: ... Spider-Man, so it seemed a decent enough test search word). ... Network Magic ...
    • Re: DNS Server And Web Server
      ... put the DC on the private LAN behind the inner firewall. ... There are arguments for and against putting the mail server in the DMZ. ... Windows, if you are running DNS, that usually means Domain Controller. ... What I am a little unclear about is how to design the network (ie what ...
    • Re: adsl router security
      ... >running ssh and mysqld but no other network services. ... >What I would like to know is whether the firewall on the router is likely ... >to configure the local machines to be as secure as possible also, ... or should I put some more firewalling in behind the router. ...