I actually hide my NAT behind a different external IP than my FW's external IP. Its just another layer of security in my mind, so people won't attempt to connect directly to the FW's IP address. It's a proxy ARP'd IP I guess you would consider it. This is assuming you can utilize more than 1 external IP on your WAN interface. In our case, we have a /26 worth of space to play with.
-Lyle -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Hal Dorsman Sent: Thursday, November 11, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] nat question Perhaps I misunderstood his question the way he asked "which interface do you configure nat on?". You are correct, you configure it on the internetal network object, but you tell it to hide behind the external interface. Hal -----Original Message----- From: Jon Allingham [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 11:45 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] nat question I set my NAT on the internal _network_ objects. That gives me more flexibility as I have at least one network that has public IPs and does not get NATed. I'm not sure how/why you would set NAT on an external _network_ object as you don't usually have network objects for the external network; at least I don't have any reason to. I think you can set NAT globally on your firewall object to cover specific outbound interfaces, but I haven't tried that and it wouldn't work for me anyway unless I over-rode it somewhere else. -- Jon Allingham Director Leapstone Systems -----Original Message----- From: Hal Dorsman [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 12:41 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] nat question External. You want the internet thinking everything is coming from your firewall, so you hide behind it's external legal IP. Think of it from a purely routing standpoint: the gateway back into your private network is the external interface of your firewall. To get everything back to your private network it has to be sent to your firewall, so everything coming from it has to appear to be from that. Hal -----Original Message----- From: Kim Longenbaugh [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: [FW-1] nat question OK, at the risk of sounding stupid, which interface do you configure Hide NAT on so your internal network can browse the internet? Say you have an external interface, a dmz interface, and an internal interface. Say you want hosts on your internal network to get to the internet, and you want them to appear to the outside world as xxx.xxx.xxx.20 (assuming a public address) Do you configure Hide nat in the internal network object, or on the external network object? ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
