[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] More about NAT...sorry for the repetition
I know we've had a
ton of stuff going around about NAT & FW1 & SecureRemote, but none of it
is making sense to me. So, I will put forth my own questions. Currently, my
network has public address and no DMZ. Using FW1 4.0 on NT 4.0 box. We are going
to set it up so the internal netowrk is 10.x.x.x, with the Firewall having a DG
of 10.x.x.1 and an external IP of 64.x.x.1, using NAT statically translate
to a couple of boxes
(Mail & Web server) that are currently within the 10.x.x.x network (but
will eventually moved out to the DMZ with public addresses.) All others can use
a NAT range. All users at 10.x.x.x need to get to Internet & DMZ and
all boxes in DMZ need to get to 10.x.x.x
network.
Internet
_____|____
|
Router |
|_________|
|
DMZ 64.x.x.x
255.255.250.0
_______|_________
|
Firewall
|
|
Ext: 64.x.x.1 |
| Int:
10.x.x.1 |
|_______________|
|
|
Internal Network
10.x.x.x
Mail Server:
10.x.x.10 (Valid address of 64.x.x.10)
We are also using Secure Remote with FWZ, not IKE, which I understand I need to change. I am just
unclear how to set up the rules and about using IKE: Here are my
questions.................
1. On the "Internal
Network" object, I have given it the IP of 10.x.x.0 with SN of 255.0.0.0.
In the NAT area, we are using STATIC (Cuz we don't want to use PAT) of 64.x.x.75
(Because the first 74 addresses we want to save for other things.) I assume it
will translate everything coming OUT from the 10.x.x.0 network into
64.x.x.75-254 addresses. Is this correct?
2. For the rule to
allow all SMTP traffic from the Internet to MAIL with an inside address of
10.x.x.10, in the IP Address area, we put the 10.x.x.10 address, and on the NAT
tab, we use STATIC and put in the Valid IP Address of the 64.x.x.10 that it
needs to be translated into in outside world. Is this correct? Does this
need to be outside the range of 64.x.x.75 that we gave for the Network NAT or is
it smart enough to know not to give out 64.x.x.10 to any other
box?
3. For Secure Remote, I guess I will need to change the type of encryption used in A) the Firewall object and B) All user properties. -Can I use BOTH ISAKMP/OAKLEY (I guess that's now known as IKE) & FWZ? IS there a reason to do that? -I am totally confused as to how to set up the IKE properly.
It's totally different. Can anyone give me tips or point me somewhere where I
can find out the specifics of setting up IKE?
Help me please!
Sorry if this is a repeat of everthing else that's been going
around..
Thanks in advance.
Amanda
Amanda Acheson
Senior Network Administrator, MCSE
MedChannel
Cell:
Phone:
|