Larry,
I'm not sure I fully follow what you're trying to do, but you can
definitely hide any internal (or DMZ) network behind any address you want
(so long as you own it, of course). They don't have to be hidden behind
the external interface of the firewall at all. To that note, your ouside
firewall interface doesn't even need to be a public address. In my
firewall setups, I generally use an internal 10.x.x.x interface, a
publically addressed DMZ interface, and extranet and internet (outside)
interfaces in the 192.168.x.x range. Then I NAT behind a second public IP
range - completely separate from the DMZ public range.
And you can certainly drop all packets destined directly for the firewall
as well. That way, unless you had a few "reject" rules (which send TCP
RESETS sourced from the firewall), the firewall won't answer for anything
at all. Just a few thoughts.....
Jason
http://www.wittys.com
At 04:44 PM 6/8/00 -0700, Larry Haff wrote:
>
>Hi All,
>
>In trying to have a FW be as invisible as possible, I have often wondered if
>it would be desirable, or even possible, to hide the portion of a LAN that
>is not using NAT behind an IP address other than the one assigned to the
>external interface of the FW. Has anyone tried this? If yes, can you offer
>guidance?
>
>Larry Haff
>Network and Technical Administrator
>Institute of Computer Technology
>Email: [EMAIL PROTECTED]
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
