Mark,
>>> Does the other site have direct connectivity to the site where the 'old'
ISP link is?
Yes it does. They are in their own routing domain at the moment. It's all cisco
IGRP/EIGRP but their own domain nontheless.
>>> 1) Change the routing table on the links between sites - they should only
carry traffic destined for the other site.
We are doing this. Since they are in their own routing domain we do static
routes between the sites for any necessary cross-site traffic. In particular we
want to have our router management guy's be able to access the border router
that is on the external side of the second FW. This is what brought up my
question about how do I NAT these router guys so that they can manage the
router. It would seem they would NAT to an address that is valid and reachable
through my first FW (that's how the NAT rules are at the moment) but they would
exit the network through my new FW (because that's where our static route sent
them). The return packets would come try to come back into my network through my
first FW. However, since they exited via the other FW no state would be
available and it would drop them. Is this making sense?
>>> 2) Make sure that the default gateway for machines at each site are the
routers for that site's ISP link.
Understood. However, it was pitched to us that we could use the second ISP link
for a fallback in case of a failure of one of the two sites. We believe this is
possible by simple changing the default gateway at the site whose ISP link or
firewall failed. I've been told by the router guy's that this is possible and it
"should" work just fine. Which brought to my mind the question about NAT'ing.
>>> 3) Set up seperate NAT rules for each firewall. We've got two side by side,
and are using a lot of hiding translation. We're actually using two
seperate rulebases, which is a pain to keep synchronized, but it works
beautifully.
We do hiding mostly. However we do have some hosts that we do static for inbound
connections. This combined with our desire to be able to fallback to the other
link if one fails brings up the sticky issue of NAT.
A. Assume HOST A has a static NAT rule defined on FW A.
B. I install that same NAT rule on FW B.
C. I have a failure on the ISP link connecting FW A to the Internet.
D. We change our routing to allow traffic that used to exit via FW A to flow out
through FW B.
E. The NAT rule translates HOST A into an address that is only reachable back
through FW A, which is down.
Now what do I do? I'm thinking I have to manually define NAT rules for every
host on every FW. Is that correct? HOST A would get a static address on FW A
that is valid on FW A, and get another, different address on FW B that is valid
on FW B. True?
I'm thinking of doing separate rulebases as well. But the question is can you
have a separate NAT base. I don't think you can, so if I've got to manage a
single nasty NATbase I might as well keep the rulebases combined as well. Oh
yeah, we have a single management station. You might have two which would make
this a non-issue for you.
Hope to hear from you,
______________________________________________________________
Greg Winkler
Systems Manager, IT&S
Huntsman Corporation
Internet Mail: [EMAIL PROTECTED]
Voice: (713) 235-6018
Fax: (713) 235-6890
____________________Reply Separator____________________
Subject: Re: 2 ISP's and 2 Firewall's, effect on NAT
Author: [EMAIL PROTECTED]
Date: 3/15/00 4:06 PM
--On Wednesday, March 15, 2000, 2:54 PM -0600 [EMAIL PROTECTED]
wrote:
> We will soon have another ISP connection to the Internet. Behind this new
> ISP we will have another firewall. Both the new ISP link and FW will be
> located in another site. The new our new ISP connection has it's own IP
> address range which is of course different from that on our existing ISP.
>
> We have invalid addresses internally. I'm hiding our invalid addresses
> behind an unused valid address (our hiding address). With one firewall
> it's pretty simple and the automatic NAT rules work fine. I was wondering
> what I need to do to get the NAT rules set up for the second FW.
>
> If I leave the existing NAT rules in place and install them on all
> gateways wouldn't I be creating a circular traffic pattern for packets
> that leave our network via the second firewall? It would seem that they
> would get NAT'd to the other firewall's hiding address. The packets would
> leave via FW B and return via FW A. I don't think it will work because FW
> A wouldn't have state info. to allow the return packets. What do I do?
>
> I'm new to firewalling and this seems a complicated topic so excuse me if
> this makes little sense.
Does the other site have direct connectivity to the site where the 'old'
ISP link is? If so, you need to do a few things to make sure that you don't
break things.
1) Change the routing table on the links between sites - they should only
carry traffic destined for the other site.
2) Make sure that the default gateway for machines at each site are the
routers for that site's ISP link.
3) Set up seperate NAT rules for each firewall. We've got two side by side,
and are using a lot of hiding translation. We're actually using two
seperate rulebases, which is a pain to keep synchronized, but it works
beautifully.
Please let me know if I've raised more questions.
-Mark
--
Mark Halsall [EMAIL PROTECTED]
Internet Specialist, Hamilton/Clermont Cooperative Association
(513) 931-7120, x20
Personal email should go to <mailto:[EMAIL PROTECTED]>.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
