Re: Reverse NAT and Masquerade Question
From: Steven J. Hathaway (shathawa_at_e-z.net)
Date: Mon, 23 Jun 2003 21:53:51 -0700
Allen Kistler wrote:
> Steven J. Hathaway wrote:
> > This is a network feasibility question.
> > Do you know which of the following firewalls can perform a reverse
> > address translation?
> > Checkpoint Firewall-1
> > Netfilter (IPtables)
> > CISCO IOS Firewall
> > CISCO PIX Firewall
> > The issue is to map a specific external IP address or transport domain
> > address onto a
> > local network IP address. The result of which would allow a workstation
> > or server on the
> > local network to establish a session to a remote host by virtue of
> > addressing data to the
> > virtualized local IP address.
> > [snip]
> They can all do one-to-one NAT. Depending upon how your ISP connection
> is configured, you may also need to set up proxy arp for the "virtual"
> addresses (if they're truly virtual).
> One-to-one means just that. One external address to one internal
> address. There's no dynamic remapping like many-to-one (10.x internal
> with a single external). So if you want a bunch of machines to be
> visable externally, you need that many IP addresses, generally.
> (Sometimes you can overlap if each internal machine offers different
> services, but that's getting a bit trickier than your question.)
My problem is not the forward-nat addressing that firewall devices implement.
Reverse-nat is independent of the number of IP addresses a service provider
gives you for communications. Dial-up point-to-point connections with
dynamic IP assignment should also work.
A trivial example of what I am looking for is to allow local machines to
access an external DNS server without having to know its public IP address
or DNS name. All the local machines need to do is to place in their
configuration files the virtual local IP address that is NAT translated
to some external DNS.
Then when the remote DNS fails - functionality can be restored by creating
another reverse=nat mapping to a functional DNS elsewhere. I then do not
have to reconfigure the local machines for DNS access.
My true requrements go beyond this trivial DNS example.
- Steve Hathaway