I'm a bit confused. I am assuming that when you say "illegal address on the
inside" you mean a registered address (like 199.232.79.50 which already
exists on the Internet), and in your previous message, when you say
"unregistered address on their (internal) network" you actually mean a
registered address. Typically "illegal" and "unregistered" addresses refer
to RFC 1918 Reserved Address Ranges for "private internets" (ie. 10.x.x.x,
172.16.0.0-172.31.255.255, 192.168.x.x). Correct me if I'm wrong, because
what I'm about to say hinges on the above.
If you are using non-reserved addresses in your intranet, and you are
looking to NAT these addresses before they hit a proxy to access the
Internet, then this NAT will be useless if they attempt to contact an
address which exists both on the Internet and on the local LAN segment,
since the address is local and won't hit the router. For example, your
machine on the local LAN is 199.232.79.48/24 and you want to go to the web
server on the Internet at 199.232.79.50, the router/NAT box will not even
look at this packet unless you have both a proxy ARP entry and a static
route on the router that points to the next hop for 199.232.79.50. And then
your next problem will be trying to figure out who answers 199.232.79.50?
The Internet web server or that local LAN machine using the same IP address?
You can play around with silly DNS tricks to get you out of that one, but if
you ask me, the only sane way to get around this is to rename your address
space to reserved addresses. Either that, or make sure whoever's address
range you're steali.., I mean, using, is someone your organization will
never have a need to send IP packets to... :-)
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-----Original Message-----
From: Brad Lunsford <[EMAIL PROTECTED]>
To: Bernd Eckenfels <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Monday, February 28, 2000 6:58 PM
Subject: Re: NAT before proxy
>This doesn't solve the problem of having an illegal address on the inside,
>does it? The proxy will dump any requests for site that match our internal
>range (listed in the LAT) back onto the internal interface (unless I'm
>missing something here). I'm planning on converting the inside addresses
to
>RFC addresses, but that's going to take a few months, and I need this all
in
>place before that happens. Thanks for the info!!
>
>Brad
>
>----- Original Message -----
>From: Bernd Eckenfels <[EMAIL PROTECTED]>
>To: Brad Lunsford <[EMAIL PROTECTED]>
>Cc: <[EMAIL PROTECTED]>
>Sent: Monday, February 28, 2000 5:50 PM
>Subject: Re: NAT before proxy
>
>
>> On Tue, Feb 22, 2000 at 03:38:28PM -0500, Brad Lunsford wrote:
>> > I'm setting up a Firewall/Proxy combination for a company that is using
>unregistered addresses on their network. My idea was to use a router to
>perform NAT before the proxy server. That way, the proxy would sit on a
>subnet that contained a private address range. Does anyone have any
>opinions on this type of setup?
>>
>> Well, NAT and Proxy can be done in 3 ways, all have advantages and
>> disadvantages:
>>
>> a) make the NAT Router Parallel to the Proxy. In that setup you need 2
>> official IP Addresses, but both System's can work with max. speed. Of
>course
>> you have to configure 2 systems to be secure if you want peremiter
>security
>>
>> b) put the proxy into the local net and access the internet via NAT
>router.
>> That way you only need one ip address and the NAT Router is securing all
>> connections. It will need to process FTP and other ugly protocols.
>> Advantage: the cached traffic wont hit the NAT router
>>
>> c) put the proxy in front of the NAT. In that setup you need 2 IPs as
with
>> a) but you also get the filtering from the NAT box... the load on the NAT
>> router is a bit higher as in b). If you have a circuit-level proxy this
>> setup will be good to avoid nasty protocols through your NAT (like in a).
>>
>>
>> Greetings
>> Bernd
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
