RE: NAT Based on Service with only one legal IP

["Ben Nagy" <ben () iagu net>]

I think you are asking if you can have static port NAT mappings for
different services going to different internal physical servers, and also do
that for dynamically assigned IP addresses as well as statically configured
ones.

Offhand I know that Cisco routers have been able to do this for a few
versions now. I suspect that any of these new 'appliances' that have
software to deal with xDSL, where addresses are very frequently assigned,
will be able to cope with this - it's just a question of how much you call
them 'firewalls'. The basic problem is that if the box itself isn't involved
in negotiating the IP address it becomes ugly.

So, in short, moving your NAT to the network border and doing it on your
screening router is one option. That might also break other stuff that you
do, like VPNs. Who knows.

ben

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of W. Builder
> Sent: Tuesday, May 20, 2003 5:43 PM
> To: firewall-wizards () honor icsalabs com
>
> Dear Gurus
>  
> Service based NAT with only one legal IP can be done with 
> Checkpoint FW-1 NG but not for dynamically allocated legal IP
>
> http://www.phoneboy.com/fom-serve/cache/86.html
>
> Are there any other non-CheckPoint firewall s/ware products 
> or appliances that can do this with both one legal static IP 
> ? With  one dynamically assigned legal IP?
>  
> Many thanks
> W.Builder

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards