[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] internal network/NAT (eventually VPN)
This doesn't make sense. I can't be the only one on the planet with this
problem:
Example: I have 100 employees with PC's in New York. I have 5 servers also
at that location. There are dedicated links to multiple sites (router
connected) for each of those NY locations:
Site NY-A: 15.15.x.x mask 255.255.0.0, has FW'd access to 'net.
Site NY-B: 15.20.x.x mask 255.255.0.0
Site NY-C: 15.30.x.x mask 255.255.0.0
Site NY-D: 15.40.x.x mask 255.255.0.0
Site LA-A: 15.5.x.x mask 255.255.0.0 has FW'd access to 'net.
I have 100 employees with PC's in Los Angeles. 5 servers there, too.
I need all 200 employees to access the other's location's servers
(eventually with VPN) across the internet, firewall protected.
From #2 below, each "host" (employee PC?) would need static NAT'd
one-for-one exteral IP address?
I think I can handle the routing issues (I think...) but this whole
"hide"/NAT thing is very confusing.
Thanks,
Vic
-----------
>1. If you want your hosts behind the firewall to be accessible via the
>internet, you cannot use hide nat. There are three options for having your
>hosts accessible via the net: static nat, no NAT at all (which I don't
>think is what you want), or PAT.
>
>2. Every host that you want accessible via the internet needs to have a
>publicly routeable ip address associated (ie statically nat'ed) with it -
>in your case a 12.x.x.x address makes the most sense - again this
>association is one to one.
>
>3. The firewall will nat the 12.x address to the appropriate 15.x address
>and routing can take care of the rest. However, since the 15.x network is
>not directly connected to the firewall, the firewall needs to know how to
>get there, so a static route is needed on the firewall pointing the 15.x to
>the 10.x router between the 10.x and 15.x networks.
>
>4. The default route on hosts on the 15.x network should be the 15.x
>router. That router then needs to know what to do with packets destined
>for the internet, so should therefore point to the firewall.
>
>If I understand your situation correctly, the above should get you there.
>
>Also, if anyone cares to correct the above, have at it.
>
>todd
>
>
>----- Original Message -----
>From: Vic G
>Sent: Wednesday, October 30, 2002 3:42 PM
>To: [email protected]
>Subject: Re: [FW-1] internal network/NAT (eventually VPN)
>
>More info:
>1. FW NG SP1 is running on Win2k.
>
>2. I added a route statement at FW to route all 15.x traffic to 10.x.x.x
>router. Do I really need to do that? (when the NAT unwraps, does it unwrap
>as 10.x.x.x or 15.x.x.x)?
>
>3. I found that I can add a new "network" of 15.0.0.0 and NAT that to
>"hide"
>behind real external IP address of (12.x.x.x). Is this on the right path to
>getting my "very internal" hosts to be accessable via the 'net?
>Currently my "internalnet" as defined in FQ-1 is only 10.x.x.x since that's
>all that is there (my DMZ servers).
>
>4. After all this, I set a client PC on the 15.x network, and added route
>statements to send traffic destined to 10.x network to the 15.x router. The
>default gateway on this PC is my FW, 10.10.10.1
>This does NOT work. I can ping my DMZ hosts on the 10.x (so I know packets
>are getting to the 10 side) but there is no log info on the FW when I ping
>it, try to use nslookup, or browse the 'net from this PC.
>
>Any ideas?
>Vic
>
>
>
>
>
>
> >
> >arp your router on an External ip on the firewall (dont forget to route
>to
> >it)
> >accept with a rule the traffic you are interested for.
> >
> >Pete
> >
> >
> >-----Original Message-----
> >From: Vic G [mailto:[email protected]]
> >Sent: Wednesday, October 30, 2002 10:56 AM
> >To: [email protected]
> >Subject: [FW-1] internal network/NAT (eventually VPN)
> >
> >
> >I'm attempting to set this up, here is my config (be kind..)
> >
> >Very int IntDMZ FW External
> >15.x.x.x Router 10.10.10.x 10-12 12.x.x.x
> >
> >
> >There is a router between "very internal", (which also has other routers
>to
> >more internal nets...)
> >I need a client on the outside(internet) to be able to get to an very
> >internal host station (eventually VPN to a similar setup on other side).
>I
> >have on my INT DMZ some hosts (Static Nat'd to the external address) and
> >that works OK. The Router is static NAT'd as a workstation, with NAT
> >enabled. (one IP is 10.x.x.x, other is 15.x.x.x)I've tried HIDE and
>STATIC
> >(not sure what it should be...)
> >The Internet router has static route statments to force the external
> >address
> >to the FW. How does someone on the Internet address (what could be) many
> >internal addresses on the inside networks?
> >
> >All the examples I see are only 1 level deep (ie the 10.x.x.x is
> >hide/natted
> >to the outside). I need to get 1 more level in.
> >
> >What am I missing here?
> >Vic
> >
> >
> >
> >
> >
> >
> >
> >
> >_________________________________________________________________
> >Unlimited Internet access -- and 2 months free! Try MSN.
> >http://resourcecenter.msn.com/access/plans/2monthsfree.asp
> >
> >=================================================
> >To set vacation, Out Of Office, or away messages,
> >send an email to [email protected]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[email protected]
> >=================================================
> >
> >=================================================
> >To set vacation, Out Of Office, or away messages,
> >send an email to [email protected]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[email protected]
> >=================================================
>
>
>_________________________________________________________________
>Unlimited Internet access for only $21.95/month. Try MSN!
>http://resourcecenter.msn.com/access/plans/2monthsfree.asp
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================Get more from the Web.
>FREE MSN Explorer download : http://explorer.msn.com
_________________________________________________________________
Get faster connections -- switch to MSN Internet Access!
http://resourcecenter.msn.com/access/plans/default.asp
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================