Todd is quite correct. Any server that you want your people to be able to access from the Internet (which is effectively what you are doing without a VPN)must have a static IP address. The client on the other end behind the firewall will work from behind a hide NAT'd ip address but any host you want available as a server on either end MUST have a static NAT.
With a VPN this would not be the case as the VPN forms a virtual and routable network segment between the two networks, effectively acting as a subnet joining the two networks together. Also, allowing inbound access to your LAN without a VPN is a very bad idea from a security point of view, so I suggest you push forward your "eventual" VPN if you want to do this. Damo > This doesn't make sense. I can't be the only one on the planet with this > problem: > Example: I have 100 employees with PC's in New York. I have 5 servers also > at that location. There are dedicated links to multiple sites (router > connected) for each of those NY locations: > Site NY-A: 15.15.x.x mask 255.255.0.0, has FW'd access to 'net. > Site NY-B: 15.20.x.x mask 255.255.0.0 > Site NY-C: 15.30.x.x mask 255.255.0.0 > Site NY-D: 15.40.x.x mask 255.255.0.0 > > Site LA-A: 15.5.x.x mask 255.255.0.0 has FW'd access to 'net. > > I have 100 employees with PC's in Los Angeles. 5 servers there, too. > I need all 200 employees to access the other's location's servers > (eventually with VPN) across the internet, firewall protected. > From #2 below, each "host" (employee PC?) would need static NAT'd > one-for-one exteral IP address? > I think I can handle the routing issues (I think...) but this whole > "hide"/NAT thing is very confusing. > > Thanks, > Vic > ----------- > >1. If you want your hosts behind the firewall to be accessible via the > >internet, you cannot use hide nat. There are three options for having your > >hosts accessible via the net: static nat, no NAT at all (which I don't > >think is what you want), or PAT. > > > >2. Every host that you want accessible via the internet needs to have a > >publicly routeable ip address associated (ie statically nat'ed) with it - > >in your case a 12.x.x.x address makes the most sense - again this > >association is one to one. > > > >3. The firewall will nat the 12.x address to the appropriate 15.x address > >and routing can take care of the rest. However, since the 15.x network is > >not directly connected to the firewall, the firewall needs to know how to > >get there, so a static route is needed on the firewall pointing the 15.x to > >the 10.x router between the 10.x and 15.x networks. > > > >4. The default route on hosts on the 15.x network should be the 15.x > >router. That router then needs to know what to do with packets destined > >for the internet, so should therefore point to the firewall. > > > >If I understand your situation correctly, the above should get you there. > > > >Also, if anyone cares to correct the above, have at it. > > > >todd > > > > > >----- Original Message ----- > >From: Vic G > >Sent: Wednesday, October 30, 2002 3:42 PM > >To: [EMAIL PROTECTED] > >Subject: Re: [FW-1] internal network/NAT (eventually VPN) > > > >More info: > >1. FW NG SP1 is running on Win2k. > > > >2. I added a route statement at FW to route all 15.x traffic to 10.x.x.x > >router. Do I really need to do that? (when the NAT unwraps, does it unwrap > >as 10.x.x.x or 15.x.x.x)? > > > >3. I found that I can add a new "network" of 15.0.0.0 and NAT that to > >"hide" > >behind real external IP address of (12.x.x.x). Is this on the right path to > >getting my "very internal" hosts to be accessable via the 'net? > >Currently my "internalnet" as defined in FQ-1 is only 10.x.x.x since that's > >all that is there (my DMZ servers). > > > >4. After all this, I set a client PC on the 15.x network, and added route > >statements to send traffic destined to 10.x network to the 15.x router. The > >default gateway on this PC is my FW, 10.10.10.1 > >This does NOT work. I can ping my DMZ hosts on the 10.x (so I know packets > >are getting to the 10 side) but there is no log info on the FW when I ping > >it, try to use nslookup, or browse the 'net from this PC. > > > >Any ideas? > >Vic > > > > > > > > > > > > > > > > > >arp your router on an External ip on the firewall (dont forget to route > >to > > >it) > > >accept with a rule the traffic you are interested for. > > > > > >Pete > > > > > > > > >-----Original Message----- > > >From: Vic G [mailto:fw1vic@;HOTMAIL.COM] > > >Sent: Wednesday, October 30, 2002 10:56 AM > > >To: [EMAIL PROTECTED] > > >Subject: [FW-1] internal network/NAT (eventually VPN) > > > > > > > > >I'm attempting to set this up, here is my config (be kind..) > > > > > >Very int IntDMZ FW External > > >15.x.x.x Router 10.10.10.x 10-12 12.x.x.x > > > > > > > > >There is a router between "very internal", (which also has other routers > >to > > >more internal nets...) > > >I need a client on the outside(internet) to be able to get to an very > > >internal host station (eventually VPN to a similar setup on other side). > >I > > >have on my INT DMZ some hosts (Static Nat'd to the external address) and > > >that works OK. The Router is static NAT'd as a workstation, with NAT > > >enabled. (one IP is 10.x.x.x, other is 15.x.x.x)I've tried HIDE and > >STATIC > > >(not sure what it should be...) > > >The Internet router has static route statments to force the external > > >address > > >to the FW. How does someone on the Internet address (what could be) many > > >internal addresses on the inside networks? > > > > > >All the examples I see are only 1 level deep (ie the 10.x.x.x is > > >hide/natted > > >to the outside). I need to get 1 more level in. > > > > > >What am I missing here? > > >Vic > > > > > > > > > > > > > > > > > > > > > > > > > > >_________________________________________________________________ > > >Unlimited Internet access -- and 2 months free! Try MSN. > > >http://resourcecenter.msn.com/access/plans/2monthsfree.asp > > > > > >================================================= > > >To set vacation, Out Of Office, or away messages, > > >send an email to [EMAIL PROTECTED] > > >in the BODY of the email add: > > >set fw-1-mailinglist nomail > > >================================================= > > >To unsubscribe from this mailing list, > > >please see the instructions at > > >http://www.checkpoint.com/services/mailing.html > > >================================================= > > >If you have any questions on how to change your > > >subscription options, email > > >[EMAIL PROTECTED] > > >================================================= > > > > > >================================================= > > >To set vacation, Out Of Office, or away messages, > > >send an email to [EMAIL PROTECTED] > > >in the BODY of the email add: > > >set fw-1-mailinglist nomail > > >================================================= > > >To unsubscribe from this mailing list, > > >please see the instructions at > > >http://www.checkpoint.com/services/mailing.html > > >================================================= > > >If you have any questions on how to change your > > >subscription options, email > > >[EMAIL PROTECTED] > > >================================================= > > > > > >_________________________________________________________________ > >Unlimited Internet access for only $21.95/month. Try MSN! > >http://resourcecenter.msn.com/access/plans/2monthsfree.asp > > > >================================================= > >To set vacation, Out Of Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >=================================================Get more from the Web. > >FREE MSN Explorer download : http://explorer.msn.com > > > _________________________________________________________________ > Get faster connections -- switch to MSN Internet Access! > http://resourcecenter.msn.com/access/plans/default.asp > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
