Doesn't NAT break multicast as well? - James D. Wilson "non sunt multiplicanda entia praeter necessitatem" William of Ockham (1285-1347/49) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ben Nagy Sent: Monday, May 24, 1999 6:19 PM To: 'Jen' Cc: [EMAIL PROTECTED] Subject: RE: There are some things that just don't work through NAT. MS WINS and MS NETLOGON are a couple of examples. I seem to remember that MS Netmeeting is another potential candidate although some implementations of NAT have been "fixed" to deal with it. The problems usually arise when the payload of the packet (rather than the IP header) contains the source address, and the target application uses the address from the _payload_ instead of the address from the _header_ to send its reply to. Note that the subnetting thing I talked about only gives you 128 (126) internal LAN addresses if you want to have a single broadcast domain because you need to stitch up all the "odd" subnets by multihoming your internal Ethernet interface. Ew. A much much better solution if you can't use NAT (you poor thing) is to buy a class C and then buy another couple of IP addresses from your ISP to use as the external addresses. If you only need 2 as in the diagram (ie you don't want a DMZ) a 255.255.255.252 netmask will suffice. I dunno if I should expound much on the subnetting thing...it's confusing but not really apropos firewalls. Maybe mail me offlist, ask_. -- Ben Nagy Network Consultant, CPM&S Group of Companies Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520 -----Original Message----- From: Jen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 25, 1999 1:43 PM To: Ben Nagy Cc: 'Paul Gracy'; [EMAIL PROTECTED] Subject: Re: [EMAIL PROTECTED], Out of curiosity, why wouldn't you want to use private addresses? If the issue is that you want to have a Web server at a.b.c.4, a mail server at a.b.c.5, an ftp server at a.b.c.6, etc., then you can achieve this with NAT on the firewall. I think the confusion might be that you're thinking that the firewall can only do one sort of NAT, which is masquerading (where all private addresses translate to a single registered IP address). You can also do static NAT where 10.0.0.192 translates to a.b.c.4 10.0.0.231 translates to a.b.c.5 so on and so forth. Some firewall products enable this (e.g., Checkpoint FW-1). Some do not (e.g., WatchGuard Firebox). Just make sure you get a firewall with the feature set you're interested in. Jen Ben Nagy wrote: > > Couldn't you just tell the firewall specifically which IP addresses are in > the trusted network and which weren't? Failing that can you variably subnet > your class C so the firewall thinks of them as different networks? > That's assuming that you really need to avoid using NAT, which is generally > contraindicated.... > > -- > Ben Nagy > Network Consultant, CPM&S Group of Companies > Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520 > -----Original Message----- > From: Paul Gracy [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 25, 1999 2:43 AM > To: [EMAIL PROTECTED] > Subject: RE: > > The biggest problem with this design is not the firewall.. it's the routing > table... > > I've never tried, but I think PIX might be able to do this based on > aliases... but you really need to rethink your design and get your subnets > separated somehow or you're going to have issues, no matter whose firewall > you choose. > > IMHO. > > -----Original Message----- > From: Ask - [mailto:[EMAIL PROTECTED]] > Sent: Friday, May 21, 1999 5:53 AM > To: [EMAIL PROTECTED] > Subject: > > Hi, > Do anyone know what firewall product that can do this > > Internet ------- Router -------- Firewall ----- Internal > > where > Router ip is a.b.c.1 > Firewall ip is a.b.c.2 > Internal ip is a class C register IP addresss a.b.c.3 -- a.b.c.254 > > The normal firewall product is require to have one register IP and > the internal lan is in private IP address. And all internet services is > go > through the proxy Firewall. > What I am looking for is that the Firewall can able to protected the > internal Lan with the internal ip is a range of register internet IP > address instead of the private IP (192.168.x.x.). The Firewall is only > open > up those allow services to go out like http, ftp , etc... > > The Firewall can be software or hardware solution. > > Thanks. > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
