Firewall Wizards mailing list archives

Re: NAT

From: carl () bl echidna id au
Date: Thu, 27 Apr 2000 08:01:29 +1000 (EST)


You could try pestering your ISP to support IPv6 :)

 Mon, 24 Apr 2000 13:53:58 -0600
To: sean.kelly () lanston com
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] NAT
From: "Alexandre A. Rodioukov" <simuran () home com>
Date: 24 Mar 2000 12:52:05 -0700

sean.kelly () lanston com writes:

You don't need your ISP to provide you with a private subnet.  The problem
you face is one that pretty much everyone in the industry does.  The only
machine you want to assign a "plain" IP is one you want to be visible to the
world -- a web server, etc.  There are sets of IP ranges designated for
private use.  The most commonly used range is the 192.168.x.x C class.  Come
up with a scheme for your machines using this IP range and get a
firewall/proxy server.  For small networks, products like SyGate on a spare
PC are often sufficient.


I'm aware of that fact :) Talking about subnet, i was talking about a
routable subnet, where ISP sets it's routing that packets for this
subnet (net) are coming through our gate/firewall. Unfortunately in my area
(Alberta) most od the xDSL providers just give you 2-8 IP addresses
from their IP space and assume that you are going to plug the modem
into the hub and/or use hardware firewall.

This is indeed NAT.

I was hitting my head against the wall trying to come up with NAT
rules for such scheme, but i failed. I need your help guys.


What rules do you mean?  Any of the products out there that do NAT should be
able to be set up without too much trouble.  It doesn't sound like you're
doing anything unusual.


I think the thing I'm looking for is static NAT. Unfortunately my
first attempts to make NAT working where  done on linux system (it
seems to me that level of support of NAT in linux is not that
great). What i wanted to do is for outsiders to be able to access some
machines/services inside the network via real-IPs (machines by
themselves are assigned fake addresses). Also it would be kinda great
if some outgoing connections from internal net would be seen as they
are from mapped to the originator address real IPs. (hope that makes
sense). Small diagram:

           
            -----
 world -----| fw |----- local net
            -----
           10.x.x.x
           x.x.x.1  
           x.x.x.2  real IP addresses aliases on fw
           .......
           x.x.x.n

And for some machines in internal net the following mapping will
work: 10.x.x.y <-> x.x.x.y (all outgoing connections from 10.x.x.y to
outside world would be seen as they were originated from x.x.x.y and
all incoming connections x.x.x.y would be forwarded to 10.x.x.y)



Sean


Thanks for your answer,

with kind regards, Sasha.

Current thread:

NAT Alexandre A. Rodioukov (Apr 10)
- <Possible follow-ups>
- NAT Alexandre A. Rodioukov (Apr 10)
- RE: NAT sean . kelly (Apr 18)
- Re: NAT Paul D. Robertson (Apr 27)
  - Re: NAT Bennett Todd (Apr 28)
- Re: NAT carl (Apr 27)