Firewall Wizards mailing list archives
RE: NAT
From: sean.kelly () lanston com
Date: Tue, 27 Jul 1999 11:45:31 -0400
I am trying to put a firewall up and my ISPs suggestions seem to conflict with my documentation. We are going to put a public web server behind the firewall.
Why?
From what I have read we have to use NAT so that people on the internet can access sites hosted on this server.
This depends on the IP address you use. If it is a public IP then you don't need to use NAT, if it part of the block of IPs designated for internal use (the 192.168.x.x class B is a popular block) then you will.
The documentation says: Many routers must be configured so that the router uses a subnet mask that is greater than or equal to the firewall's subnet mask.
Basically, this means that if your firewall protects the subnet 192.168.0.x, then the router has to route at least the traffic for that subnnet to the firewall. It's just a tech way of overstating the obvious.
If the public IP of web server is not the same as the firewall's non-secure IP, then the router must be configured such that it routes traffic for the web server via the firewall's non-secure IP address.
This is getting into how to set up NAT for public access to a facility behind the firewall. In the case of a webserver, I really can't think of a reason you would want to put it behind the firewall. This is generally a bad idea.
The NAT pool will use
209.51.10.192/26
209.51.10.160/27
209.51.10.144/28
209.51.10.136/29
This is for ppl inside the firewall to be able to surf the net as well as for your webserver I assume. Sounds fine.
The router is currently configured at 209.51.10.128/25. My ISP says that I do not have to do anything to the router for the firewall to work. They also said the Public port of the firewall will respond to all of the IP addresses that are in the NAT pool.
This should all be true. Again, my only question remains "why do you want to put a public webserver inside your firewall?" Other than that, it all seems like it should work. Sean