----- Original Message -----
Sent: Friday, April 06, 2001 4:52
PM
Subject: [FW1] Multiple networks with
single management console
Hello all,
I'm trying to set up a 2nd firewall to manage some systems at
a co-location site. Some of the systems are strictly ours (internal DMZ in a 1
way trust NT domain) and some will be accessed by multiple 3rd parties.
There's a internet connection at the site, so that's defined as my external
interface and where I'm doing the NAT.
My problem comes with the 3rd party equipment. For the sake of
argument (forcing folks to understand that I need to keep these entities
separate from our internal domain) I'm giving those machines 10net addresses
(in theory). This makes it easy to demonstrate to them the security issues
involved since I can't have 10.1.1.1 internal communicating with 10.1.1.1
external. (Although I do need to manage/monitor the machines from the internal
10net)
I like the idea of 2 10nets, but in practice I can't find a
way to NAT the external 10net or to define the objects and separate them from
my internal 10net. As I understand it, the problems I run into are:
Only 1 interface can be defined as external, and that's where
my NAT will take place.
All the network objects are
contained in the same objects.c file no matter what policy they belong
to.
Without going to Provider-1 or buying an additional management
console and firewall, is there a way that I can use 10net ip's at both
locations and still manage the firewall modules from the same mgmt console?
(I'm currently not using 10.x.x.x, but I'd like to). Can I somehow use a
combination of separate policies on separate fw modules and Install-On only
certain 10.x.x.x interfaces or will I still run into routing problems,
etc?
Is anyone doing something similar or found another secure
workaround besides using a different ip scheme?
Thanks!
Jim
