Firewalls: Re: fw1/address translation

Firewalls
(December 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: fw1/address translation
From:	shiggins @ naccess . com (Sean higgins)
Date:	Sun, 29 Dec 1996 18:54:31 GMT
To:	firewalls @ GreatCircle . COM
In-reply-to:	<199612290322 . UAA20203 @ mail . xmission . com>
References:	<199612290322 . UAA20203 @ mail . xmission . com>

On Sat, 28 Dec 1996 20:22:58 -0700 (MST), you wrote:

>i'm using address translation to hide my internal network.  our bastion
>host runs fw1 and contains three interfaces:
>
>        172 -- private internal network
>        192 -- DMZ
>        206 -- registered class C
>
>questions:
>
>(1) under fw1 may I use *any* available 206 address to hide my entire
>network behind?  in other words, is it mandatory to use the public,
>registered class C 206 address on the bastion host to hide behind?

You can use any of the addresses except for the address of bastion.
In the Firewall-1 documentation about address translation, it
indicates using the address of the firewall in address translation can
lead to unpredicable results.

You can even use just one address to hide your entire internal
network...

>(2) since i'm using rfc1577 private network numbers does it even make sense
>to turn on anti-spoofing on my interfaces?

I believe you mean RFC 1918, the revised RFC.  I don't believe it will
hurt to have the anti-spoofing enabled...

>(3) how does fw1 deal with routing?  the solstice documentation (which is
>very thin) says that internal routing is first done *then* the translation
>takes place.  since I only have a single registered class C and I do not
>want to subnet (I'm thinking I'll have to use the 2nd and 3rd networks in
>the subnetted 206) my 206 address space, can I get away with a statically
>built routing table as follows *without* subnetting?
>
>        dest                                               gateway
>        206.x.x.66 (internal corp mail server)             172.x.x.x
>        206.x.x.129 (web server on the DMZ)                192.x.x.x
>
>(NOTE:  my fw1 address translation rules first statically map the
>206.x.x.66->172.x.x.66 and 206.x.x.129->192.x.x.129, THEN all 206 addresses
>are hidden behind a single 206 address.  In my experience it appears that
>fw1 is *first* translating *then* routing?)

You are correct above.  You will also need to add arp entries which
basically tell the machine to be those hidden addresses as well.
Something like:

arp -s 206.x.x.66 yy:yy:yy:yy:yy:yy pub,

where yy:yy:yy:yy:yy:yy is the mac address of the external
interface...

I hope this helps...

                  Sean

Sean Higgins -- "Always count your advantages!"

References:

fw1/address translation
From: jblumen @ xmission . com (john blumenthal)

Indexed By Date	Previous:	need suggestions From: keithstevens @ acsinc . net (Keith Stevens)
Indexed By Date	Next:	Re: need suggestions From: shiggins @ naccess . com (Sean higgins)
Indexed By Thread	Previous:	fw1/address translation From: jblumen @ xmission . com (john blumenthal)
Indexed By Thread	Next:	Re: fw1/address translation From: Paul Ferguson <pferguso @ cisco . com>