Firewall Wizards mailing list archives
NAT
From: "Josh Sides" <jzsides () stoneeagle com>
Date: Fri, 23 Jul 1999 09:19:22 -0000
Hello, I am trying to put a firewall up and my ISPs suggestions seem to conflict with my documentation. We are going to put a public web server behind the firewall. From what I have read we have to use NAT so that people on the internet can access sites hosted on this server. The documentation says: Many routers must be configured so that the router uses a subnet mask that is greater than or equal to the firewall's subnet mask. If the public IP of web server is not the same as the firewall's non-secure IP, then the router must be configured such that it routes traffic for the web server via the firewall's non-secure IP address. The DMZ subnet includes the firewall's non-secure IP address. It also includes the IP addresses of any public servers that are placed outside the firewall. The DMZ subnet must not be the same as, or overlap with the Reserve(NAT Translation Pool) subnet. We have 1/2 of a class c range of IP address(209.51.10.128/25). I believe that we have to subnet this even further to meet the conditions named above. I am trying to subnet it like this: The DMZ will use 209.51.10.128/29 The NAT pool will use 209.51.10.192/26 209.51.10.160/27 209.51.10.144/28 209.51.10.136/29 The Secure net will use 90.0.0.0/24 The router is currently configured at 209.51.10.128/25. My ISP says that I do not have to do anything to the router for the firewall to work. They also said the Public port of the firewall will respond to all of the IP addresses that are in the NAT pool. Any Suggestions would be appreciated. Thanks Josh Sides StoneEagle Insurance Systems