Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Static NAT with a twist

From: Oliver Humpage <oliver () watershed co uk>
Date: Thu, 23 Mar 2006 16:05:10 +0000

<de-lurk>

Hallo all,

I was hoping to get some advice from people familiar with PIX firewall
configuration, to make sure one (e.g. the 515E) would do what I wanted it to
do before I buy it. I hope that's OK on this list.

I have a slightly complicated setup: essentially, there are 2 networks
coming into the server room, and one web server. The web server will be
hosting some sites on an IP on "net_1", and some on an IP on "net_2". It
currently has just one IP, on net_1.

I won't go into details, but letting the networks "mix" on the wires, VLANs,
or extra NICs are not solutions in my case. So it has to be done at the
border router.

What I'd really like is a router/firewall that can assume "net_1" is the
default, and pass packets to/from it, but if a packet comes in for net_2 it
rewrites it ("static NAT" essentially) to net_1.

So for instance:

Request comes in for net_1:

                to net_1
------------- <---------- ---------- <--- packet to net_1
| Web server|             | Router |
------------- ----------> ---------- ---> packet from net_1
              from net_1


Request comes in for net_2:

                to net_1
------------- <---------- ---------- <--- packet to net_2
| Web server|             | Router |
------------- ----------> ---------- ---> packet from net_2
              from net_1

Traffic originating from net_1 stays on net_1:

-------------            ----------
| Web server|            | Router |
------------- ---------> ---------- ---> packet from net_1
              from net_1

It's this third one that will require some tricksiness, since otherwise I'd
just use static NAT and have done with it.

Many thanks for any help/advice you can offer as to what kit will do this.

Oliver.


-- 
Oliver Humpage
ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: