Firewall Wizards mailing list archives
Re: Sunscreen EFS 3.1 stealth mode and NAT
From: Roy Culley <tgdcuro1 () gd2 swissptt ch>
Date: Wed, 21 May 2003 11:22:35 +0200
Hi Valerie, Thanks for your replies.
That part of your configuration seems fine. Have you set your STEALTH_NET on your screen object? That is required whenever you are doing anything in stealth mode that requires rewriting of the IP headers (such as NAT or tunnelling).
Perhaps an ascii network drawing will help:
-----------------
| external router |
-----------------
| Public subnet
-----------------
| sunscreen |
-----------------
| Public subnet
-----------------
| internal router |
-----------------
| Private subnet
-----------------
| router |
-----------------
| Private subnet
-----------------
| DNS server |
-----------------
As you can see the DNS server is more than one hop away from the sunscreen
subnet. From what I can see the sunscreen is in fact doing the right thing.
It is forwarding the arp broadcast from the external router having modified
the DNS server IP address in the arp request packet. The internal router
doesn't know about the DNS server IP address so ignores the arp packet.
The internal router is not a simple cisco box. It is a combined load
balancer, switch and router. Apparently that box cannot do proxy arp.
The network guys are going to install a 'normal' router in front of
it. As this can also do NAT the NAT function will not be required on
the sunscreen.
Hope that is clear. :-)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Sunscreen EFS 3.1 stealth mode and NAT Roy Culley (May 20)
- <Possible follow-ups>
- Re: Sunscreen EFS 3.1 stealth mode and NAT Roy Culley (May 20)
- Re: Sunscreen EFS 3.1 stealth mode and NAT Roy Culley (May 22)
- Re: Sunscreen EFS 3.1 stealth mode and NAT Valerie Anne Bubb (May 22)