This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help with Screened Subnet using two Firewalls

Hello All,

( I have linked to a network diagram that may help you better understand my setup, I have also inserted it as an image at the bottom of this post)
                             Screened Subnet.jpg

I am attempting to setup a Screened Subnetwork in my lab using ASL 7.11 for both the Perimeter, and Internal Firewalls.
I have several static IP's all of which are being listened for on the WAN port of my Perimeter Firewall.
I am then doing a one-to-one NAT conversion for each Static Ip and assigning it to an Internal IP.

So for Example 216.122.216.10 DNATS to 10.4.3.10
(And of course SNATS from 10.4.3.10 to 216.122.216.10)

The 10.4.3.0/24 network is located on a separate ethernet port on the Perimeter Firewall and that port is connected to a Cisco 2950 switch. (The Ip address assigned to that ethernet port is 10.4.3.1)

The Internal Firewall's WAN port in connected to the 10.4.3.0/24 network via the Same Cisco Switch (The Ip address assigned to that ethernet port is 10.4.3.2
the Internal Firewall is taking Ip addresses that are coming in on the 10.4.3.0/24 network and doing a one-to-one NAT conversion from the 10.4.2.0/24 network to the 192.168.23.0/24 network.

So for Example 10.4.3.10  DNATS to 192.168.23.10
(And of course SNATS from 192.168.23.10 to 10.4.3.10)

here are some more details on the network setup

Perimeter Firewall
eth0 (WAN)
IP: 216.122.216.2
Default Gateway: 216.122.216.1
Netmask: 255.255.255.0
Other Ip addresses on this interface 216.122.216.3 - .254

eth5 (Internal Network)
IP: 10.4.3.1
No Gateway
Netmask: 255.255.255.0

Internal Firewall
eth0 (Internal Network Out)
IP: 10.4.3.2
Default Gateway: 10.4.3.1
Netmask: 255.255.255.0

eth5 (Internal Network)
IP: 192.168.23.1
No Gateway
Netmask: 255.255.255.0

I can not get this to work, quite right and am hoping some one can shed some light on what I may be doing or not doing that would be keeping me from routing packets in and out. I will do some more testing and post information about how far I can see packets coming in and going out.  ( and yes the packet filters are set to allow in and out for my configuration ) that does not seem to be the issue.

Kind Regards,

Profile

This thread was automatically locked due to age.

Parents

0 Simon Shaw over 17 years ago

Rather than doing multiple NATs I would add some routes to the firewalls so only one NAT is required. Then routing can take care of the traffic to its destination.
Cancel
Vote Up 0 Vote Down

Cancel
0 Profile over 17 years ago in reply to Simon Shaw

Can you give me an example of where and which kind of route to setup to allow routing out of the physical setup of the network shown above?

Thanks,

Pro
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 17 years ago in reply to Profile

Can you give indication of what bits are working and which arent?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Simon Shaw over 17 years ago in reply to Profile

Can you give indication of what bits are working and which arent?
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data