One caveat to this solution. Be careful if you are using VPN-1. VPN-1 wants the external interface to be the registered addressed and the address that your VPN clients connect to. In this case a Non-routable would not work.
-----Original Message-----
From: Jason Witty [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 08, 2000 8:13 PM
To: Larry Haff; [EMAIL PROTECTED]
Subject: Re: [FW1] Hide Internal Network NOT Using the FW's External IP
Larry,
I'm not sure I fully follow what you're trying to do, but you can
definitely hide any internal (or DMZ) network behind any address you want
(so long as you own it, of course). They don't have to be hidden behind
the external interface of the firewall at all. To that note, your ouside
firewall interface doesn't even need to be a public address. In my
firewall setups, I generally use an internal 10.x.x.x interface, a
publically addressed DMZ interface, and extranet and internet (outside)
interfaces in the 192.168.x.x range. Then I NAT behind a second public IP
range - completely separate from the DMZ public range.
And you can certainly drop all packets destined directly for the firewall
as well. That way, unless you had a few "reject" rules (which send TCP
RESETS sourced from the firewall), the firewall won't answer for anything
at all. Just a few thoughts.....
Jason
http://www.wittys.com
At 04:44 PM 6/8/00 -0700, Larry Haff wrote:
>
>Hi All,
>
>In trying to have a FW be as invisible as possible, I have often wondered if
>it would be desirable, or even possible, to hide the portion of a LAN that
>is not using NAT behind an IP address other than the one assigned to the
>external interface of the FW. Has anyone tried this? If yes, can you offer
>guidance?
>
>Larry Haff
>Network and Technical Administrator
>Institute of Computer Technology
>Email: [EMAIL PROTECTED]
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
***********************************************************************
Gruntal & Co., L.L.C.'s e-mail system is for business purposes only.
Messages are not confidential. All e-mail may be reviewed by
authorized supervisors, compliance or internal audit personnel.
E-mail will be archived for at least three years and may be produced
to regulatory agencies or others with a legal right to access such
information. Gruntal will not accept trade order instructions via
e-mail. Please telephone your Account Executive to place trade orders.
Gruntal & Co., L.L.C.
***********************************************************************
