[fw-wiz] NAT sanity check
jimbob.coffey at gmail.com
Mon Nov 5 19:49:53 EST 2007
On 11/2/07, David Steele <steeled3 at gmail.com> wrote:
> I'm hoping someone can provide a sanity check on the following configuration
> - i.e.: will it work?
> I've got a /29 public network, addresses (say) .2 to .6, with default
> gateway of .1. Can I place a Checkpoint firewall on .2 and have it use the
> remaining addresses for NAT'd services on the other side of the firewall?
Yes not a problem use static arps on the firewall (cisco calls it proxy arp)
fw-1 will automagically create them for you as well but there have been issues
with this in the past (depends on OS and firewall revision)
> I ask as I'm certain I've done this in the past, but I'm a few years out of
> doing firewall work and my current technical contact reckons this won't work
> - that the default gate will ARP for the address and the .2 firewall won't
> respond; and that furthermore the only way to use the addresses would be to
> put a different subnet between the default gateway and the firewall and
> route the /29 network to the firewall (which I agree will work, but...)
Hmm time for a new technical contact...
I actually prefer the route based method but then I have address space
to burn a
> Also, would it work if the firewall was a PIX?
Should do. I think the pix will even create them for you
if you configure nat rules.
> David Steele
> <insert sig line witticism here>
> firewall-wizards mailing list
> firewall-wizards at listserv.icsalabs.com
More information about the firewall-wizards