[fw-wiz] NAT sanity check

James jimbob.coffey at gmail.com
Mon Nov 5 19:49:53 EST 2007


On 11/2/07, David Steele <steeled3 at gmail.com> wrote:
> Hi,
>
> I'm hoping someone can provide a sanity check on the following configuration
> - i.e.: will it work?
>
> I've got a /29 public network, addresses (say) .2 to .6, with default
> gateway of .1.  Can I place a Checkpoint firewall on .2 and have it use the
> remaining addresses for NAT'd services on the other side of the firewall?

Yes not a problem use static arps on the firewall (cisco calls it proxy arp)
fw-1 will automagically create them for you as well but there have been issues
with this in the past (depends on OS and firewall revision)

>
> I ask as I'm certain I've done this in the past, but I'm a few years out of
> doing firewall work and my current technical contact reckons this won't work
> - that the default gate will ARP for the address and the .2 firewall won't
> respond; and that furthermore the only way to use the addresses would be to
> put a different subnet between the default gateway and the firewall and
> route the /29 network to the firewall (which I agree will work, but...)

Hmm time for a new technical contact...
I actually prefer the route based method but then I have address space
to burn a
/30 on.

>
> Also, would it work if the firewall was a PIX?

Should do.  I think the pix will even create them for you
if you configure nat rules.

>
> TIA
>
> --
> _______________________________
> David Steele
>
> <insert sig line witticism here>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards at listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>


-- 
jac


More information about the firewall-wizards mailing list