from the quill of MAURO_STARINIERI @
com on scroll
> Item Subject: Text_1
> I have to connect, in a secure way using FireWall-1 V2.0, an
> network to more than one external networks. Some of these networks
> have the same IP address (they are not public networks), so, when I
> will connect them to the same network, I have the problem to manage
> correctly these duplicated addresses. I know that with FW-1 it is
> possible to translate internal invalid addresses to valid addresses,
> but what I have to do is the contrary: translating external invalid
> addresses to valid ("unique") addresses.
> Could anyone suggest me a way to do that using FW-1?
OK. Let's first remove the concepts of "internal" and "external" here.
They are red herrings. You have one network that you need to connect to
other networks where "other" networks have the same (duplicate) IP
addresses. There's only one way that can work.
If you had a NAT device - yes FW-1 does do NAT, although I've not looked at
it in detail - that could do the translation based on what interface the
packet comes from. That is to say that you would need a table for
tranlating addresses that not only had a list of addresses to address
tanslation, but address/interface to address translation.
This sounds like a bandaid. You would be much better off to have everbody
agree on a set of RFC-1918 addresses, and/or get registered Internet
You might also want to try the FW-1 mailing list next time as well. It's
distribution address is at firewall-1 @
address is left as an excersize for the reader (read: I can't remember :-)
Brian J. Murrell Brian_Murrell @
BCTel Advanced Communications brian @
Vancouver, B.C. brian @
604 454 5279