RE: [FW1] Internal LAN + DMZ (hide NAT for LAN)

Tue, 27 Jun 2000 07:45:06 -0700 


The way we have this is a follows.

We have a group (Company_Net) which covers all machines including both
internal machines and those on our DMZs.  First rule in NAT is that if the
source is this group and the destination is this group then the translated
source and destination are the original ie no change.

This keeps each internal or DMZ machine using it's own IP address when going
between these zones.  I guess you can then assign rights based on their
original IPs if that is what you want.

Last rule is the one you have set up.  Internal network going to anywhere
else for any service is translated to the Firewall IP as source with
original destination for any service.

Ali.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Frederic Lemoine
Sent: 27 June 2000 16:52
To: [EMAIL PROTECTED]
Subject: [FW1] Internal LAN + DMZ (hide NAT for LAN)



Hello,

I have a fw with three network cards :

nic1 = 172.16.1.0      = Internal LAN
nic2 = 194.122.123.133 = DMZ
nic3 = 194.122.123.1   = gateway to the Internet

I do NAT in hide mode for the internal LAN. Therefore, packets going out of
the LAN take the IP address of the gateway (194.122.123.1).

My problem is that they take that IP, no matter where they go, ie. also when
they go to the DMZ.

If I want to restrict the access from the Internal LAN to the DMZ, I must
restrict the access from the fw to the DMZ, and I feel a bit uncomfortable
to
do that.

In any case, there is no way to restrict access from _some_ workstation on
the
LAN, but not from _some_ other, as all go out with the same IP. Right ?

Finally, how is it possible to restrict the access from the DMZ to some/all
worksations on the Internal LAN.

Could anyone make some recommendations/suggestions.

Thanks.





============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to