James,
thanks for this, however we actually have 8 /24 networks currently...but it
would take a lot more work to NAT the entire 256 address than to assign the
www et al illegal addresses....but I take on board what you've said and
consider it a bit more fully...so thanks.
My firewall currently only has two NIC's installed.
At 08:33 29/01/2001 -0600, James Edwards wrote:
>I'm sure someone will correct me if I am wrong but it would seem to make
>more sense to move your WWW and other servers to the DMZ, give them the
>111.111.111.0 network and NAT your internal network. I am assuming you only
>have one Class C network so are limited internally to the 256 addresses but
>by NATing them on the 10.0.0.0 network, you would effectively be giving
>yourself a Class A network and giving yourself a whole lot more IP addresses
>for use with your internal PCs, printers, and servers.
>
>Also, if your NT firewall has three NICs, you should be able to do a DMZ
>without any new hardware. Set it up like this
>
>Internet
> |
> |
>Firewall ------- DMZ
> |
> |
>Internal Network
>
>Hope this helps.
>
>Jim Edwards
>Systems Manager
>Texas Secretary of State
>
>-----Original Message-----
>From: Paul Messer [mailto:[EMAIL PROTECTED]]
>Sent: Monday, January 29, 2001 7:46 AM
>To: [EMAIL PROTECTED]
>Subject: [FW1] Firewall-1 DMZ configuration.
>
>
>
>Dear All,
>
>we here have a problem...in that we have no DMZ currently....
>
>I want to move all our externally facing www and ftp etc servers to a DMZ
>and I'm considering the Nokia FW platform to do it with...currently we're
>running it on an NT server.
>
>All the FTP and www servers have the same class c network address as the
>rest of our network i.e .www is 111.111.111.111 my machine is
>111.111.111.67...is it possible to use NAT to ip address these boxes i.e.
>10.10.50.111 and so on whilst still showing their real address to the
>outside world even though the network address shown would be normally
>routed on to our network...
>
>e.g...
>
>FW-1 with 3 NIC's ----> NAT 111.111.111.111 ----> 10.10.50.111
>
>Also would it be possible / prudent to move the DNS / Mail server to the
>DMZ using the same NAT even though it's a POP3 mail server which ppl would
>connect to internally to collect mail.
>
>I'm sorry if it's a really stupid question but we've never done it before
>and I've only ever dabbled with NAT.
>
>Thanks in advance.
>
>
>
>============================================================================
>====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>============================================================================
>====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
