[techtalk] NAT, Routing, or something else?

Angela Nash Chick at the-nashes.net
Mon Apr 23 00:33:26 EST 2001 

The problem here is you were assigned one subnet, but you need two.  You
need one between the router and the firewall, and then another behind the
firewall.  To get around this, assign a private address space to the link
between the router and the firewall.  Use something like 10.x.x.x.  Then use
the real subnet behind your firewall.  Make sure the Cisco 678 has a static
route set up so that it knows your real subnet needs to go through the
firewall (since it's a router too).

On the firewall just enable IP forwarding and set its default route to the
Cisco.  The only quirk with this setup is that an interface with a 10.x.x.x
address won't be able to access the net....so you won't be able to get out
to the Internet from your firewall.  But, people won't be able to ssh/telnet
right to the firewall either, since it is sort of hidden.

Jason

-----Original Message-----
From: Samuel Tesla [mailto:johngalt at io.com]
Sent: Sunday, April 22, 2001 11:46 PM
To: techtalk at linuxchix.org
Subject: [techtalk] NAT, Routing, or something else?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I recently got DSL and a /27 subnet of static IPs to play with.  Problem
is,
I can't quite figure out what I need to do to set up the routing for the
IPs.

Here's how the network is set up

Internet ---> ISP Gateway ---> My Cisco 678 ---> My Firewall (486) -< My LAN

Now, I know it is possible to do this somehow, although I've not seen it
done
with a Linux kernel.  What I'd like to do is assign the IPs in my subnet to
the
boxes on my LAN (no NAT or anything) and just have my firewall act as a
router.
That alleviates concerns about protocols (and I think is the only way to get
certain direct computer connection protocols to work).  

An alternative is to set up NAT on the firewall (I'm doing masq with
ipchains
at the moment) and give the LAN machines ten-space addresses.  This I
already
know how to set up, but I don't like it.  It involves setting up port
forwarders and what not, and can get tricky with some protocols.  I'd like
to
avoid this.

There might be another alternative that I'm not aware of.

I've tried running routed to accomplish the routing, but I cannot ping my
internal IPs from the outside (of course, I can go from inside to outside,
due
to the MASQ).  I'm trying to figure out how to do the first scenario (the
actual routing) with the Linux kernel, and the Adv-Routing-HOWTO didn't seem
to
cover it (I may be mistaken).  

I'd like to figure it out so that I can call up and hassle my ISP if
neccessary.

Thanks in advance, folks.

- -- 
 
-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
=-
 Samuel Tesla
johngalt at io.com
                              Today's Fortune Is:


 A 'full' life in my experience is usually full only of other people's
demands.

            print: CB1E 678E E7E1 827C E30B  2618 6513 F23C C24B 1FFE

 
-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
=-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE646VjZRPyPMJLH/4RAsaAAKCHwSqKtDiGTgqYCLpOtuLjaEqXVwCgjRe7
jbC+OUreSwLdJVb/LFwrrJE=
=X6Ln
-----END PGP SIGNATURE-----


_______________________________________________
techtalk mailing list
techtalk at linuxchix.org
http://www.linux.org.uk/mailman/listinfo/techtalk

More information about the Techtalk mailing list