Firewall Wizards mailing list archives

Re: NAT on router vs. firewall

From: Neil Pike <NeilPike () compuserve com>
Date: Wed, 15 Jul 1998 03:45:21 -0400



<< From: Bill_Royds () pch gc ca
How would you implement rules on firewall based on source address or
destination address?. The firewall would only see the NAT versions of 
IP
numbers so would not have any basis other than port to filter.
781.321.6000 >>

 Yes, the firewall only needs to see NAT'd addresses, but usually you 
have a one to one mapping for destination addresses inside your 
network, therefore you can apply rules just as tightly.  For traffic 
coming in from outside (e.g. the internet) usually you're not going to 
know the source address anyway, so I find it easier to translate these 
to a pool of NAT'd addresses so that the firewall then knows that 
anything coming in from 40.10.10.x (say) is actually an Internet 
address.
    
 Neil Pike MVP/MCSE
 Protech Computing Ltd

Current thread:

NAT on router vs. firewall Gregory Blake (Jul 12)
- <Possible follow-ups>
- Re: NAT on router vs. firewall Bill_Royds (Jul 14)
- Re: NAT on router vs. firewall Neil Pike (Jul 14)
- Re: NAT on router vs. firewall Neil Pike (Jul 15)
- Re: NAT on router vs. firewall Bill_Royds (Jul 15)
- Re: NAT on router vs. firewall Neil Pike (Jul 17)
- Re: NAT on router vs. firewall Bill_Royds (Jul 19)