If you can use 192.168.5 instead of .3, you could get away with
plugging all of the DMZ equipment, including both sides of the load-
balancer, into a single segment, and use a 23-bit subnet mask. Or
renumber 192.168.4.n as 192.168.3.n+m....
That assumes that the load-balancer can cope with having both
interfaces on the same subnet, which is kind of a slimy trick.
A better, but more expensive, approach is to install a router which
connects the 192.168.3 and .4 subnets. As long as the firewall knows
to use this router off its 192.168.3.x interface to reach the
192.168.4 subnet, it should allow you to set up static NAT
definitions that map to that subnet just fine. They shouldn't have
to be directly connected, just reachable.
David Gillett
On 13 Jun 2001, at 9:04, [EMAIL PROTECTED] wrote:
> I am implementing a Nokia IP330 running FW4.1 SP3 and have done NAT
> with proxy arps many times, but I am confusing myself on this particular
> situation. Our webservers are going to live in the DMZ, which will then
> transmit customer information back through the firewall to the internal
> LAN, which will then VPN that information to the corporate office. The DMZ
> interface is 192.168.3.1. That much I can handle and have done before. But
> in this particular case, the webservers are going to live behind a load
> balancer which serves all four webservers. The load balancer will be NAT'ed
> to the URL IP address of the site, and when someone goes to the website it
> then spreads the wealth to the webservers. (But it also creates another
> network, 192.168.4.0, so the webservers are going to live on that network,
> not the 192.168.3.0 network. Or to put it another way, the DMZ side of the
> load balancer is 192.168.3.2 and the other side is 192.168.4.2.
>
>
> So here is the question. In addition to the webservers being known by
> the one load balancer IP address, they also need to have there own valid IP
> address NAT'ed, so that they can be connected to individually for
> maintenance reasons. How do I NAT to the 192.168.4.0 network if the DMZ
> interface is 192.168.3.0? Is this even possible? As always, I need to have
> this mastered by tomorrow. Sheesh. Thanks.
>
> Scott
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
