Firewall Wizards mailing list archives
Re: NAT sanity check
From: James <jimbob.coffey () gmail com>
Date: Tue, 6 Nov 2007 11:49:53 +1100
On 11/2/07, David Steele <steeled3 () gmail com> wrote:
Hi, I'm hoping someone can provide a sanity check on the following configuration - i.e.: will it work? I've got a /29 public network, addresses (say) .2 to .6, with default gateway of .1. Can I place a Checkpoint firewall on .2 and have it use the remaining addresses for NAT'd services on the other side of the firewall?
Yes not a problem use static arps on the firewall (cisco calls it proxy arp) fw-1 will automagically create them for you as well but there have been issues with this in the past (depends on OS and firewall revision)
I ask as I'm certain I've done this in the past, but I'm a few years out of doing firewall work and my current technical contact reckons this won't work - that the default gate will ARP for the address and the .2 firewall won't respond; and that furthermore the only way to use the addresses would be to put a different subnet between the default gateway and the firewall and route the /29 network to the firewall (which I agree will work, but...)
Hmm time for a new technical contact... I actually prefer the route based method but then I have address space to burn a /30 on.
Also, would it work if the firewall was a PIX?
Should do. I think the pix will even create them for you if you configure nat rules.
TIA -- _______________________________ David Steele <insert sig line witticism here> _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- jac _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NAT sanity check David Steele (Nov 05)
- Re: NAT sanity check Darden, Patrick S. (Nov 07)
- Re: NAT sanity check James (Nov 07)
- Re: NAT sanity check Paul Melson (Nov 07)
- <Possible follow-ups>
- Re: NAT sanity check Halchishak, John (Nov 07)