The only way this is going to work is if (at least) one of those "firewall router" boxes is a PROXY, so that (for instance) all traffic that arrives via the 60.60.60.60 NATted address is seen by the server as coming from 100.100.100.60 instead of its "true" external address.
This is still imperfect, though, because once a client decides that it wants to talk to 50.50.50.50 or 60.60.60.60, its connection cannot fail over to the other link.... DG On 18 Mar 2002, at 15:33, Scheidel, Greg (Contractor) wrote: > On incoming traffic (Internet to your site), have each firewall NAT the > source IP address (that is to say, the client's IP address) to a single > distinct IP address (many-to-one, or PAT) that is either (a) the firewall's > internal interface or (b) an address that internal routing identifies as > accessible via that distinct firewall. Reply traffic will be routed back to > the appropriate firewall, reverse NAT'd, and sent on. > > > For example: > > [ISP 1] [ISP 2] > | | > | | > +=====================+ +=====================+ > | 50.50.50.50 | | 60.60.60.60 | > |---------------------| |---------------------| > | firewall router # 1 | | firewall router # 2 | > |---------------------| |---------------------| > | 100.100.100.50 | | 100.100.100.60 | > +=====================+ +=====================+ > | | > | | > +--------------------------------------+ > | service network : 100.100.100.0 / 24 | > +--------------------------------------+ > | > | > +===================+ > | 100.100.100.100 | > |-------------------| > | web server | > +===================+ > > > Let's suppose a user comes in with a request for your web server: > > Source: 5.5.5.5 (Client # 1) > Dest: 100.100.100.100 (Web Server) > Via: 50.50.50.50 (Firewall Router # 1, external iface) > > You then have Firewall Router # 1 NAT the traffic so that it is: > > Source: 100.100.100.50 (Firewall Router # 1, internal iface) > Dest: 100.100.100.100 (Web Server) > > > Simultaneously you have a second user request: > > Source: 6.6.6.6 (Client # 2) > Dest: 100.100.100.100 (Web Server) > Via: 60.60.60.60 (Firewall Router # 2, external iface) > > You then have Firewall Router # 1 NAT the traffic so that it is: > > Source: 100.100.100.60 (Firewall Router # 2, internal iface) > Dest: 100.100.100.100 (Web Server) > > > Reply traffic for 5.5.5.5 will be routed via 100.100.100.50, and 6.6.6.6 > will be routed via 100.100.100.60. > > > This assumes that you are able to NAT the source to the internal iface of > the firewall. If you can't, then assign bogus private IP addresses and NAT > to that, with routing in place identifying the private IP addresses as > accessible via the appropriate firewall. > > For example: > > [ISP 1] [ISP 2] > | | > | | > +=====================+ +=====================+ > | 50.50.50.50 | | 60.60.60.60 | > |---------------------| |---------------------| > | firewall router # 1 | | firewall router # 2 | > |---------------------| |---------------------| > | 192.168.1.1 | | 192.168.1.2 | > |---------------------| |---------------------| > | 100.100.100.50 | | 100.100.100.60 | > +=====================+ +=====================+ > | | > | | > +--------------------------------------+ > | service network : 100.100.100.0 / 24 | > +--------------------------------------+ > | > | > +===================+ > | 100.100.100.100 | > |-------------------| > | web server | > +===================+ > > > Let's suppose a user comes in with a request for your web server: > > Source: 5.5.5.5 (Client # 1) > Dest: 100.100.100.100 (Web Server) > Via: 50.50.50.50 (Firewall Router # 1, external iface) > > You then have Firewall Router # 1 NAT the traffic so that it is: > > Source: 192.168.1.1 (Firewall Router # 1, bogus private address) > Dest: 100.100.100.100 (Web Server) > > > Simultaneously you have a second user request: > > Source: 6.6.6.6 (Client # 2) > Dest: 100.100.100.100 (Web Server) > Via: 60.60.60.60 (Firewall Router # 2, external iface) > > You then have Firewall Router # 1 NAT the traffic so that it is: > > Source: 192.168.1.2 (Firewall Router # 2 bogus private address) > Dest: 100.100.100.100 (Web Server) > > > Reply traffic for 5.5.5.5 will go out via 100.100.100.50, and 6.6.6.6 will > go out via 100.100.100.60. This requires that you setup routing on the Web > Server host that identifies that 192.168.1.1 is accessible via > 100.100.100.50, and that 192.168.1.2 is accessible via 100.100.100.60. Note > that neither the 192.168.1.1 or 192.168.1.2 addresses are actually in use or > assigned to any interfaces anywhere. > > > This all assumes that you don't care/need to deal with BGP or similar > load-balancing between ISP scenarios. > > > Greg S. > > > -----Original Message----- > From: David Smart [mailto:[EMAIL PROTECTED]] > Sent: Monday, March 18, 2002 3:02 PM > To: Firewall > Subject: Routing to two NAT / firewall gateways ? > > > I am upgrading my internet service and (temporarily) have Internet > connectivity from two ISPs. Each ISP interfaces to my LAN via its own > firewall router - with filtering - with NAT enabled - and some holes poked > through for my exposed services. It may be obvious in retrospect (but it > wasn't to me) that the external services only work when their host points to > that ISPs router as default gateway. > > That is: I can telnet to ISP-2s external IP address and get a telnet session > to my inside host only if the inside host running telnetd points to ISP-2s > router as default. But then I cannnot make any use of ISP-1 from that host. > > Is there a service or configuration I could employ to make the routing work > with two NAT gateways?? If this was addressed before - please just point me > there. > > Thanks, > Dave > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
