1-1 NAT? - Hardware Firewall Question

You have a data center with multiple non-consecutive UP addresses on the public side?

I have a block of public IP addresses, I assign a first one to my firewall and then others in the group to it's external interface. Lets say I have 16 IP, I assign IP 1,2,3,4,5,10~16 to the external interface and then use 6~9 for test servers that are not protected by the firewall.

This means I have the inbound internet connection running to a switch and the Firewall gets one connection and the non-protected devices get other physical connection to that public switch.

Now, port/ip mapping in 1:1 mode or NAT mode is very simple. I have a bunch of websites behind the firewall running on several servers, I set all their A records to point to IP's 1,2,3,4,5 as needed then I set the firewall to map IP1:80 to internal NAT IP 200:80 (since 200 is one of the servers) and then IP2:80 to NAT IP 200:80, and then IP3:80 to NAT IP

201:80 and so on.....

Why don't you use HOST Headers - my Linux boxes and IIS boxes are all setup with Host Headers and it's worked very well for years.

What you need to do is find a Firewall Appliance that allows for assignment of non-consecutive IP's in the same subnet or allows for multiple subnets on the external interface. I use WatchGuard Firebox X700, 1000 and such for that function.

Thanks. I share data center space with a company I used to work for. IPs were juggled before I entered into the picture - I believe we have a range of 64 - so I ended up with non-consecutive available IPs.

So if I get a firewall that supports multiple external IPs, is it as easy as defining those IPs in the firewall's external network settings and going about NATing them through? Right now our connection comes through a cisco router, into a switch and from there resolves to our IIS boxes. I'll just be putting a firewall between the switch and my machine to do the resolving and it'll be translating through.

One of the main reasons I'm stumped is that when sifting over the documentation on sites like watchguard's or sonicwall's I'm not entirely sure what specifically to look for in the description that tells me it supports multiple external IPs. "One-to-one NAT" or if it lists "multiple interfaces"? I'm looking at 700/1000:

I don't use host headers right now because 3 of the 6 sites on the box have SSL certs assigned and I have the IPs available for each to have their own. Can always change a few of the sites over to using host headers if I ever need to. Thanks for the help. Roy

Yes, it's as easy as adding the first IP with a /xx subnet notation and then adding the "additional" IP addresses in that same subnet as needed. You can add them out of sequence, you can even add IP from a different subnet as an additional network.

You can do NAT or you can do drop-in mode where your Public IP are on both sides (WAN:LAN) and still provide firewall functions between the two. The NAT option give you the ability to grow beyond your 1:1 mode but it requires more work and planning.

Yea, it's hard to find specific features in any appliance or other, they give general ones and you have to call and query them about specifics and then get them to email you the details. It's that way with all the vendors unless they give an example that shows what you're looking for.

The nice thing about the WG series is that they act as VPN end-points for PPTP, which means you can PPTP into the firewall and then manage it and your network as though you were sitting there at the network. You can also create some really nice rules that allow PPTP users (based on their login name at the firebox) access to very specific ports/IP in the network - so you could limit a user to accessing server1:port:xyz only, while at the same time another user could have access to the entire LAN.

When you get the appliance, if you get a WG FB, post back if you need help, we often set up appliances and then ship them to customers who just connect the cables and they work - it's fairly easy to do via email or Usenet also (as long as we don't talk specific IP's in public).

Yes, it's as easy as adding the first IP with a /xx subnet notation and then adding the "additional" IP addresses in that same subnet as needed. You can add them out of sequence, you can even add IP from a different subnet as an additional network.

You can do NAT or you can do drop-in mode where your Public IP are on both sides (WAN:LAN) and still provide firewall functions between the two. The NAT option give you the ability to grow beyond your 1:1 mode but it requires more work and planning.

Yea, it's hard to find specific features in any appliance or other, they give general ones and you have to call and query them about specifics and then get them to email you the details. It's that way with all the vendors unless they give an example that shows what you're looking for.

The nice thing about the WG series is that they act as VPN end-points for PPTP, which means you can PPTP into the firewall and then manage it and your network as though you were sitting there at the network. You can also create some really nice rules that allow PPTP users (based on their login name at the firebox) access to very specific ports/IP in the network - so you could limit a user to accessing server1:port:xyz only, while at the same time another user could have access to the entire LAN.

When you get the appliance, if you get a WG FB, post back if you need help, we often set up appliances and then ship them to customers who just connect the cables and they work - it's fairly easy to do via email or Usenet also (as long as we don't talk specific IP's in public).