Re: 1-1 NAT? - Hardware Firewall Question

On Wed, 13 Jul 2005 01:09:13 GMT, Leythos <void@nowhere.lan> wrote:

>In article <02p8d15jtvg0fva8t0ueup0c0g94acru8t@4ax.com>,
>k433ds@jjkss.org says...
>> Thanks ahead of time...
>> I have a Win2003 web server with multiple sites (not using host
>> headers) running in a data center. As of now I only have a software
>> firewall running on it. Want to add a hardware appliance but am
>> stumped on what I need to look for. I am confused about what it takes
>> to forward multiple (not consecutive) external IPs in our range
>> through to multiple internal addresses. I know the basics of hardware
>> firewalls but am not sure what to look for that would fit this need. I
>> definitely know the cheaper firewalls don't support this. I've looked
>> over what sonicwall has to offer but am not sure which firewall would
>> be best for this. I don't want to do anytning too fancy, just block
>> the junk packets before they get to the machine and lock down all but
>> thenecessary ports. Each IP now has at least http/https/smtp/pop
>> running on them. Also, what exactly is the interface in the firewall's
>> admin that would allow this? Is it 1-1 NAT? Thx, Roy J
>
>You have a data center with multiple non-consecutive UP addresses on the
>public side?
>
>I have a block of public IP addresses, I assign a first one to my
>firewall and then others in the group to it's external interface. Lets
>say I have 16 IP, I assign IP 1,2,3,4,5,10~16 to the external interface
>and then use 6~9 for test servers that are not protected by the
>firewall.
>
>This means I have the inbound internet connection running to a switch
>and the Firewall gets one connection and the non-protected devices get
>other physical connection to that public switch.
>
>Now, port/ip mapping in 1:1 mode or NAT mode is very simple. I have a
>bunch of websites behind the firewall running on several servers, I set
>all their A records to point to IP's 1,2,3,4,5 as needed then I set the
>firewall to map IP1:80 to internal NAT IP 200:80 (since 200 is one of
>the servers) and then IP2:80 to NAT IP 200:80, and then IP3:80 to NAT IP
>201:80 and so on.....
>
>Why don't you use HOST Headers - my Linux boxes and IIS boxes are all
>setup with Host Headers and it's worked very well for years.
>
>What you need to do is find a Firewall Appliance that allows for
>assignment of non-consecutive IP's in the same subnet or allows for
>multiple subnets on the external interface. I use WatchGuard Firebox
>X700, 1000 and such for that function.
>
>--

Thanks. I share data center space with a company I used to work for.
IPs were juggled before I entered into the picture - I believe we have
a range of 64 - so I ended up with non-consecutive available IPs.

So if I get a firewall that supports multiple external IPs, is it as
easy as defining those IPs in the firewall's external network settings
and going about NATing them through? Right now our connection comes
through a cisco router, into a switch and from there resolves to our
IIS boxes. I'll just be putting a firewall between the switch and my
machine to do the resolving and it'll be translating through.

One of the main reasons I'm stumped is that when sifting over the
documentation on sites like watchguard's or sonicwall's I'm not
entirely sure what specifically to look for in the description that
tells me it supports multiple external IPs. "One-to-one NAT" or if it
lists "multiple interfaces"? I'm looking at 700/1000:

http://www.watchguard.com/products/compare_results.asp?p1=x700&p2=x1000&p3=&nav=

I don't use host headers right now because 3 of the 6 sites on the box
have SSL certs assigned and I have the IPs available for each to have
their own. Can always change a few of the sites over to using host
headers if I ever need to.
Thanks for the help. Roy
Received on Thu Sep 29 19:58:36 2005