> -----Original Message-----
> From: horio shoichi [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 20 October 2000 4:38 AM
> Cc: David Loysen; '[EMAIL PROTECTED]'
> Subject: Re: Dual firewall question
>
>
> I can't understand why you could ping both addresses from
> outside NAT, either.
>
[snip]
> mouss wrote:
> >
> > I don't see how you can ping it using the second firewall!
> > you have an "impossible" situation.
[snip]
Well done, Dave - looks like you came up with a tricky one!
I have a theory. You're doing NAT on some boxen _other_ than the webservers,
right? I think your NAT device is maintaining an 'alias' for the IP address
of the WWW box. In other words, when you ping those addresses the NAT box is
responding for you to say that the box is alive. It's bizarre behaviour but
seems to be the only one that explains the situation. Test by turning the
WWW box off and trying to ping, maybe. My theory suggests that it would
still work.
Anyway, that's kind of irrelevant.
Here's why you're having problems:
When a packet comes in from ISP1 and goes to the WWW box, the WWW box
responds. The default gateway is via ISP1 so the NAT pool for ISP1 is used.
This is good.
When a packet comes in from ISP2, though, the default gateway for the WWW
box is still via ISP1. This means that the return packet will get translated
using the NAT pool for ISP1 - this is NOT the address the connection was
addressed to, so when the sending host sees this strange, unsolicited
SYN/ACK packet from some different IP address it gets all confused.
Make sense?
Here's how you solve it:
You need to do a "Nasty NAT Trick".
What you do is translate the _SOURCE_ address of incoming WWW requests at
your border routers. IOW, anything that comes in via ISP1 you translate the
source address into something in a 10.1.x.x range. Anything that comes in
via ISP2 you translate the source address into a 10.2.x.x range. Most good
NAT devices will support this - lots call it 'outside source' translation or
'illegal NAT' or just 'INAT'.
Now all you need to do is have two routes - 10.1.x.x via ISP1 and 10.2.x.x
via ISP2. These routes go on the default gateway. You will still need to do
the same inside source translation you were doing before, of course.
> >
> > At 17:44 18/10/00 -0700, David Loysen wrote:
> > >I am having a problem that I can't quite figure out.
[...multi-homing to two ISPs with NAT causes weird stuff...]
> > >
> > >Is there a way to make the web server respond to both IP's?
> > >
> > >Thanks for any help or ideas 'cause I'm fresh out of both
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
