In order for you to configure FW-1 to statically translated two external
DST IP addresses to one internal destination IP address, you need to
establish enough criteria in your NAT table to help FW-1 see the differance
between the two possible sources of the connections.
If you can guarantee that you will always see a 95.x.x.x IP address
attempting to connect to 95.x.x.7, then your NAT rule would be
net-95.x.x.x 95.x.x.7 Any Original 10.0.0.1 Original
10.0.0.1 net-95.x.x.x Any 95.x.x.7 Original Original
And then
Any 205.x.x.7 Any Original 10.0.0.1 Original
10.0.0.1 Any Any 205.x.x.7 Original Original
Obviously, the routes on the firewall are going to have to be accurate
to ensure you don't send a packet out the 205.x.x.x interface if the DST
IP address is to a host on 95.x.x.x.
It appears that the firewall has an external Internet interface and
a 95.x.x.x interface, or is it that the one external interface has been
configured to support both 95.x.x.x and 205.x.x.x? That is a bit
confusing.
--- Jerald Josephs
----- Original Message -----
From: "Carric Dooley" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Tony Kim"
<[EMAIL PROTECTED]>
Sent: Thursday, June 01, 2000 3:17 PM
Subject: Re: [FW1] NAT Question
>
> No,no.. one machine on the inside with two external NAT addresses... this
> client is nat'ing for two different connections (one from a vendor, one
from
> another network) on the same firewall.
>
> If I am on the vendor network, I need to connect to 95.x.x.7 to reach the
> internal web server, but from the internet, I need to connect to
205.x.x.7.
> These public addresses are then translated to the internal 10.0.0.1
address.
>
> My question is: "Can this be done?"
>
> so you have nat rules like this
>
> internal_www, any, any 205-net-static, orig, orig
> internal_www, any, any 95-net-static, orig, orig
>
> I hope that is more clear...
>
> The 205 arped address is not responding to anything.
>
> Carric Dooley
> Network Security Consultant
>
> "I have often regretted my speech, never my silence."
> - Xenocrates (396-314 B.C.)
>
>
>
> ----- Original Message -----
> From: "Tony Kim" <[EMAIL PROTECTED]>
> To: "Carric Dooley" <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>
> Sent: Thursday, June 01, 2000 5:50 PM
> Subject: Re: [FW1] NAT Question
>
>
> > Why would you want to assign 2 machines the same internal IP?.
> > What is the scenario ? I am confused by your diagram...
> >
> > At 02:36 PM 01/06/00 , Carric Dooley wrote:
> > >
> > >Question:
> > >
> > >Does anyone know for sure if you can nat multiple public addresses to a
> > >single internal address and how one would do it? Here is the issue:
> > >
> > >Vendor1 Internet
> > > 95.x.x.x (net) /
> > > \ /
> > > \ /
> > >
> > > 95.x.x.5 Firewall 205.x.x.5 (real address of
> pulic
> > >IF)
> > > 95.x.x.7 www 205.x.x.7 (public static NAT
> for
> > >internal WWW)
> > > |
> > > |
> > > www.domain.com
> > > 10.0.0.1
> > >
> > >Translating 95.x.x.7 and 205.x.x.7 statically to 10.0.0.1
> > >
> > >Current Nat Rules
> > >
> > >Orig
> > >Xlated
> > >___________________________________________________________________
> > >Src Dest Srv |
> > >Src Dest Srv
> > >Int_www (nothing defined in nat tab) Any Any |
Pub_Hide_static
> > >Orig Orig
> > >
> > >We have published the arp for the external address, but it isn't
> working....
> > >
> > >
> > >thanks
> > >
> > >
> > >
> > >
> > >
> > >Carric Dooley
> > >Network Security Consultant
> > >
> > >"I have often regretted my speech, never my silence."
> > >- Xenocrates (396-314 B.C.)
> > >
> > >
> > >
> > >
> >
>
>===========================================================================
> =
> > >====
> > > To unsubscribe from this mailing list, please see the instructions
> at
> > > http://www.checkpoint.com/services/mailing.html
> >
>
>===========================================================================
> =
> > >====
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > Tony Kim
> > CSM Systems Inc.
> > Chief Network Security Engineer.
> > 780-441-3251 1-888-799-2500
> >
> > Suite 900 - First Edmonton Place
> > 10665 Jasper Avenue
> > Edmonton, AB
> > T5J 3S9
> > Canada
> >
> > http://www.canadashop.com/
> > http://www.csm-systems.com/
> > http://www.americangamers.com/
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >
>
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
