NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Firewall-1 DMZ configuration.




James,


thanks for this, however we actually have 8 /24 networks currently...but it would take a lot more work to NAT the entire 256 address than to assign the www et al illegal addresses....but I take on board what you've said and consider it a bit more fully...so thanks.

My firewall currently only has two NIC's installed.

At 08:33 29/01/2001 -0600, James Edwards wrote:
I'm sure someone will correct me if I am wrong but it would seem to make
more sense to move your WWW and other servers to the DMZ, give them the
111.111.111.0 network and NAT your internal network.  I am assuming you only
have one Class C network so are limited internally to the 256 addresses but
by NATing them on the 10.0.0.0 network, you would effectively be giving
yourself a Class A network and giving yourself a whole lot more IP addresses
for use with your internal PCs, printers, and servers.

Also, if your NT firewall has three NICs, you should be able to do a DMZ
without any new hardware.  Set it up like this

Internet
    |
    |
Firewall ------- DMZ
    |
    |
Internal Network

Hope this helps.

Jim Edwards
Systems Manager
Texas Secretary of State

-----Original Message-----
From: Paul Messer [mailto:[email protected]]
Sent: Monday, January 29, 2001 7:46 AM
To: [email protected]
Subject: [FW1] Firewall-1 DMZ configuration.



Dear All,

we here have a problem...in that we have no DMZ currently....

I want to move all our externally facing www and ftp etc servers to a DMZ
and I'm considering the Nokia FW platform to do it with...currently we're
running it on an NT server.

All the FTP and www servers have the same class c network address as the
rest of our network i.e .www is 111.111.111.111 my machine is
111.111.111.67...is it possible to use NAT to ip address these boxes i.e.
10.10.50.111 and so on whilst still showing their real address to the
outside world even though the network address shown would be normally
routed on to our network...

e.g...

FW-1 with 3 NIC's ----> NAT 111.111.111.111 ----> 10.10.50.111

Also would it be possible / prudent to move the DNS / Mail server to the
DMZ using the same NAT even though it's a POP3 mail server which ppl would
connect to internally to collect mail.

I'm sorry if it's a really stupid question but we've never done it before
and I've only ever dabbled with NAT.

Thanks in advance.



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.