RE:

Thu, 22 Feb 2001 01:21:34 -0800 

        You can do it without re-addressing the internal subnet, but would
need to re-address the link between the router and the firewall. eg:

        [Internet]
            |
        [Router]
        (10.0.0.1)
            |
        (10.0.0.2)
        [Firewall]
        (200.0.0.2)
            |
        [Internal-net]

        ie. The internal network doesn't change, but the external one moves
to a private address range. Default gateway for the PC's is the firewall's
internal interface (200.0.0.2), default gateway for the firewall is the
inside interface of the router (10.0.0.1). The router needs a static route
to point the internal subnet at the firewall (ip route 200.0.0.0
255.255.255.0 10.0.0.2).

        Then the internal and external interfaces aren't on the same subnet,
so no problem. This will work unless someone on the internet needs to
connect directly to  the OUTER interface of the firewall (or the inner
interface of your router). They can still connect to the inside interface of
your firewall if required.

        Darryl Luff
        [EMAIL PROTECTED]


> > -----Original Message-----
> > From: jeremy cassidy [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, 22 February 2001 12:53 
> > To: Firewalls
> > Subject: 
> > 
> > 
> > Heres a good one i think:
> > 
> > Objective: Build a Bastion Host (Firewall) between an 
> > Internal LAN and the
> > Internet
> > 
> > Here's the scenario:
> > 
> > Internal LAN: Client IP Range = 200.0.0.2 to 200.0.0.252
> > 
> > Firewall: Internal NIC (eth1) IP = 200.0.0.1
> > Firewall: External NIC (eth0) IP = 200.0.0.253
> > 
> > Cisco Router (Default Gateway to Internet): IP = 200.0.0.254
> > 
> > The question is:
> > -Can I route the requests from the Internal LAN clients to 
> > the Internet via
> > the firewall, WITHOUT changing the IPs? ( We don't want to 
> > use a Private IP
> > Range. We also don't want to subnet the class C address)
> > 
> > - If the answer is yes, how can you configure ipchains or 
> > iptables to deal
> > with the fact that the internal and external interfaces are 
> > on the same
> > subnet?
> > 
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> > 
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to