Mael, > is it possible to use private ranges between router1, router2, and 1st > interface of the firewall? (I think not). Maybe functions _like_ "ip > unnumbered" in cisco IOS can help (and under Linux?)? Or what is the better > way to make this net .. work? It is perfectly fine to use private address ranges for subnets such as these. If I read your diagram properly (it was jumbled a bit), I assume that your configuration is to look as follows: you have some type of WAN gateway, a subnet which connects to the cisco router, which connects to your firewall (on a different subnet). The firewall is a 3 NIC (or two 2 NIC firewalls) with a public side, a private side, and a DMZ. Thus, for the two subnets, (subnet 1 and 2) you need not use public addresses since there will be no hosts on these subnets accessible to the outside. Some of this does depend on your Internet Service Provider. Your ISP will route the address space that they have assigned you towards your WAN router, once traffic hits the first two routers destined for this address space, they will simply forward that traffic to your firewall. In some sense this offers good security as your first few hops are "hidden" from the outside world. Some notes of caution however: 1. first, you will need to use a public address as the first address encountered from the ISP side - this may require some subnetting of your address space. 2. second, I would advise you to not allow pings to leave your network (as I would always practice regardless), this way, the outside world has no idea that your network exists (that is-they don't ICMP unreachable messages as if you blocked pings going in, yet they do not get ping replies because they never get out). This will ensure that they private interfaces on the subnet 1 and 2 do not answer private addresses which is against the RFC. (not that any pings should have been routed to your network destined for private addresses!). 3. third, traceroutes would be a bad idea since you have private internal addresses. They are still a bad idea anyway. 4. make sure whatever routing protocol you use does not advertise routes at least from the ISP side, and maybe even the firewall side depending on your config. Also, I would advise to stay away from RIP regardless. This is especially good if you need to summarize addresses. I would use OSPF for these routers (or IGRP if they are all Cisco boxes). 5. You will not be able to get to any of the privately addressed router interfaces from the Internet, not that I would usually allow anyone to do this. The only other possibility, would be to use all private addresses on the inside of your network (from the WAN gateway back). Then you could run NAT on the closest router to your ISP using your public address space. NAT is not foolproof, and it may not suit the needs depending on the complexity of your internal network and the needs/services of the clients on the inside of your network. Hope this helps. There are many options, but you seem to be on the right track Regards, Geoff Gates Lockheed Martin, NE&SS - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
