NAT

["Josh Sides" <jzsides () stoneeagle com>]

Hello,

I am trying to put a firewall up and my ISPs suggestions seem to conflict
with my documentation. We are going to put a public web server behind the
firewall.  From what I have read we have to use NAT so that people on the
internet can access sites hosted on this server.

The documentation says:

Many routers must be configured so that the router uses a subnet mask that
is greater than or equal to the firewall's subnet mask.

If the public IP of web server is not the same as the firewall's non-secure
IP, then the router must be configured such that it routes traffic for the
web server via the firewall's non-secure IP address.

The DMZ subnet includes the firewall's non-secure IP address.  It also
includes the IP addresses of any public servers that are placed outside the
firewall.  The DMZ subnet must not be the same as, or overlap with the
Reserve(NAT Translation Pool) subnet.



We have 1/2 of a class c range of IP address(209.51.10.128/25).  I believe
that we have to subnet this even further to meet the conditions named above.
I am trying to subnet it like this:

                        The DMZ will use
                        209.51.10.128/29

                        The NAT pool will use
                        209.51.10.192/26
                        209.51.10.160/27
                        209.51.10.144/28
                        209.51.10.136/29

                        The Secure net will use
                        90.0.0.0/24

The router is currently configured at 209.51.10.128/25.  My ISP says that I
do not have to do anything to the router for the firewall to work.  They
also said the Public port of the firewall will respond to all of the IP
addresses that are in the NAT pool.


Any Suggestions would be appreciated.


Thanks
Josh Sides
StoneEagle Insurance Systems