[TCLUG] RE: [TCLUG:21717] Speaking of DSL [was: Project Idea: ExpectTK to configure Cisco 675's]

[Adam Maloney]

Yes, but he was looking at not having to do NAT from his real IP on the
675 -> 10.0.0.x -> 192.168.1.x.  My solution accomplishes this, but the
firewall would have to do proxy ARP for the IP's.  And there's no
guarantee that it would work, I've never tried it.

Really though the proper way is to just let it do the NAT twice.  You're
routing between two different networks, the ISP/DSL network and the
firewalled internal network.  You're sending the packets through the extra
hop anyways, the NAT will add almost nothing extra to it.

Adam Maloney
Systems Administrator
Sihope Communications

On Wed, 27 Sep 2000, Eric Hillman wrote:

> > Give the 2nd ether on the firewall, say, 10.0.0.128/29 (for instance).
> > You assign your machines 10.0.0.129, 10.0.0.130, etc.  Then you setup the
> > port forwarding on the DSL router:
> >
> > your.machine:25 -> 10.0.0.129:25.  The DSL router sees 10.0.0.0/24 as the
> > entire subnet, and it forwards the packets to the ethernet port (doing the
> > NAT form your external IP to 10.0.0.129).  The firewall sees a packet
> > coming in for 10.0.0.129:25, doesn't do any NAT but just filters, and
> > sends it on it's way.
> >
> > So your DSL router thinks it's on a /24 network, the firewall thinks that
> > eth0 is a /30 (just it and the router), and it's other ether port is on
> > a different subnet (you have to make sure that what you assign your
> > machines out of doesn't overlap with what the firewall sees, so it doesn't
> > get conflicting netmasks.
> 
> 
> Um, I really think you're making things more complicated than they need to be.
> (I'm allergic to weird netmasks -- I suppose if you're comfortable with that
> stuff, maybe you think differently).
> 
> Just use a reserved class C address internally -- 192.168.xxx.yyy and a netmask
> of 255.255.255.0  (Clue for the Clueless -- "xxx" must be *identical* on every
> internal box, "yyy" must be *unique*).
> 
> The end result is more or less the same, I just find it easier to deal with
> mentally when different networks actually *look* different.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
> For additional commands, e-mail: tclug-list-help at mn-linux.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org