Firewall Wizards mailing list archives
Re: IPv6
From: John Kougoulos <koug () intranet gr>
Date: Thu, 30 Dec 2010 10:29:07 +0200
On 12/29/2010 11:33 AM, Martin Barry wrote:
$quoted_author = "Mathew Want" ;Because I do not want my worktations to be routed to from the internet.Then you want a stateful firewall, not NAT66. Or do you have other reasons for wanting NAT66?
I see NAT66 helpful on eg site-to-site VPNs. eg. Suppose that I have the prefix 2001:db8:85a3::/48 and I have some my internet accessible machines on 2001:db8:85a3:3::/64 and some "internal" machines on 2001:db8:85a3:2::/64 , 2001:db8:85a3:4::/64. If the other side of the site-to-site VPN routes the whole 2001:db8:85a3::/48 over the VPN in order to access the "internal" machines, they will try to access also the Internet accessible machines over the site-to-site VPN, which could mean that they may bypass somecontrols, or that I have to open tons of ACLs on various firewalls, not to mention the possible asymmetric routing issues.
If I could NAT66 the 2001:db8:85a3::/48 to a ULA::/48 space, I believe it would be much easier to manage, since the other side would have to route the ULA space to the VPN.
Regards, John Kougoulos _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: IPv6, (continued)