Re: 1-1 NAT? - Hardware Firewall Question

On Wed, 13 Jul 2005 12:30:37 GMT, Leythos <void@nowhere.lan> wrote:

In article <c2c9d19jgibti04jnd83322g81gnrjj07s@4ax.com>,
k433ds@jjkss.org says...
> On Wed, 13 Jul 2005 01:09:13 GMT, Leythos <void@nowhere.lan> wrote:
>
> >In article <02p8d15jtvg0fva8t0ueup0c0g94acru8t@4ax.com>,
> >k433ds@jjkss.org says...
> >> Thanks ahead of time...
> >> I have a Win2003 web server with multiple sites (not using host
> >> headers) running in a data center. As of now I only have a software
> >> firewall running on it. Want to add a hardware appliance but am
> >> stumped on what I need to look for. I am confused about what it takes
> >> to forward multiple (not consecutive) external IPs in our range
> >> through to multiple internal addresses. I know the basics of hardware
> >> firewalls but am not sure what to look for that would fit this need. I
> >> definitely know the cheaper firewalls don't support this. I've looked
> >> over what sonicwall has to offer but am not sure which firewall would
> >> be best for this. I don't want to do anytning too fancy, just block
> >> the junk packets before they get to the machine and lock down all but
> >> thenecessary ports. Each IP now has at least http/https/smtp/pop
> >> running on them. Also, what exactly is the interface in the firewall's
> >> admin that would allow this? Is it 1-1 NAT? Thx, Roy J
> >
> >You have a data center with multiple non-consecutive UP addresses on the
> >public side?
> >
> >I have a block of public IP addresses, I assign a first one to my
> >firewall and then others in the group to it's external interface. Lets
> >say I have 16 IP, I assign IP 1,2,3,4,5,10~16 to the external interface
> >and then use 6~9 for test servers that are not protected by the
> >firewall.
> >
> >This means I have the inbound internet connection running to a switch
> >and the Firewall gets one connection and the non-protected devices get
> >other physical connection to that public switch.
> >
> >Now, port/ip mapping in 1:1 mode or NAT mode is very simple. I have a
> >bunch of websites behind the firewall running on several servers, I set
> >all their A records to point to IP's 1,2,3,4,5 as needed then I set the
> >firewall to map IP1:80 to internal NAT IP 200:80 (since 200 is one of
> >the servers) and then IP2:80 to NAT IP 200:80, and then IP3:80 to NAT IP
> >201:80 and so on.....
> >
> >Why don't you use HOST Headers - my Linux boxes and IIS boxes are all
> >setup with Host Headers and it's worked very well for years.
> >
> >What you need to do is find a Firewall Appliance that allows for
> >assignment of non-consecutive IP's in the same subnet or allows for
> >multiple subnets on the external interface. I use WatchGuard Firebox
> >X700, 1000 and such for that function.
> >
> >--
>
>
> Thanks. I share data center space with a company I used to work for.
> IPs were juggled before I entered into the picture - I believe we have
> a range of 64 - so I ended up with non-consecutive available IPs.
>
> So if I get a firewall that supports multiple external IPs, is it as
> easy as defining those IPs in the firewall's external network settings
> and going about NATing them through? Right now our connection comes
> through a cisco router, into a switch and from there resolves to our
> IIS boxes. I'll just be putting a firewall between the switch and my
> machine to do the resolving and it'll be translating through.

Yes, it's as easy as adding the first IP with a /xx subnet notation
and
then adding the "additional" IP addresses in that same subnet as
needed.
You can add them out of sequence, you can even add IP from a different
subnet as an additional network.

You can do NAT or you can do drop-in mode where your Public IP are on
both sides (WAN:LAN) and still provide firewall functions between the
two. The NAT option give you the ability to grow beyond your 1:1 mode
but it requires more work and planning.

> One of the main reasons I'm stumped is that when sifting over the
> documentation on sites like watchguard's or sonicwall's I'm not
> entirely sure what specifically to look for in the description that
> tells me it supports multiple external IPs. "One-to-one NAT" or if it
> lists "multiple interfaces"? I'm looking at 700/1000:
>
> http://www.watchguard.com/products/compare_results.asp?p1=x700&p2=x1000&p3=&nav=

Yea, it's hard to find specific features in any appliance or other,
they
give general ones and you have to call and query them about specifics
and then get them to email you the details. It's that way with all the
vendors unless they give an example that shows what you're looking
for.

The nice thing about the WG series is that they act as VPN end-points
for PPTP, which means you can PPTP into the firewall and then manage
it
and your network as though you were sitting there at the network. You
can also create some really nice rules that allow PPTP users (based on
their login name at the firebox) access to very specific ports/IP in
the
network - so you could limit a user to accessing server1:port:xyz
only,
while at the same time another user could have access to the entire
LAN.

> I don't use host headers right now because 3 of the 6 sites on the box
> have SSL certs assigned and I have the IPs available for each to have
> their own. Can always change a few of the sites over to using host
> headers if I ever need to.

When you get the appliance, if you get a WG FB, post back if you need
help, we often set up appliances and then ship them to customers who
just connect the cables and they work - it's fairly easy to do via
email
or Usenet also (as long as we don't talk specific IP's in public).

-- 
----------------------------
Great. Answers all my ??'s. A sincere thanks for your help.