Julian's netowrking challenge 2005

Bill Vermillion bv at wjv.com
Tue Jun 28 12:23:59 GMT 2005 

Putting quill to paper and scribbling furiously on Mon, Jun 27,
2005 at 22:08 , Julian Elischer missed achieving immortality when
he said:


> So for reasons that i won't go into, I fin dmyself renumberring an entire 
> company.
> howeve I have a particular problem I can't figure out how to fix.

> I have a gateway/firewall machine running 4.x

> it has 3 interfaces

> fxp0 goes to the internal trusted network
> fxp1 goes to the internet via a T1 via a cisco box,
> but is shared with another section of the company.
> the compant web service is advertised as coming from an address
> that is on an address advertised as being on this T1. So are
> other services.

> fxp2 also goes to the intenet via a cisco box however nothing is using
> it at the moment.

> The one shared T1 is being flooded out by users behind this machine
> much to the annoyance of the users on the other part of the company.
> This is supposed to be their T1.

> For reasons that are beyond the scope of this problem, the advertised
> DNS addresses for teh services advertised, can not just be switched
> to be via the other t1.

> The network attached to fxp0 needs to be NAT'd to use the Internet
> as it is using illegal numbers.

> The challenge:

> figure out a way so that all teh users on the network behind fxp0
> hcan use the internet using the T1 attached to the cisco off fxp1
> while all the advertised services (about 8 of them, few enough to
> list by hand in rules etc.) which are also behind fxp0 but acccessed by 
> NAT'd addresses from the addresses on fxp1's net are accessed soly via that 
> T1.

> [ internet ]
>  |       |
> T1       T1
>  |       |
> [cisco] [cisco]--------[other part of company]
>  |       |
> [fxp1]   [fxp2]
> [  freebsd 4.x ]
>      [fxp0]
>         |
>         |
> -----------------------illegal numbere'd net(s) (e.g. 192.168.x.x)-----
>                 |              |              |
>             [server 1 ]     [server 2]      [lots of users]
> 
> I can get the 'forward' direction easily.. i.e. incoming packets.
> 
> It's the reverse direction that doesn't work for me.
> I considerred running 2 NATDs
> but I need to run ipfw to identify teh reverse streams to force back via 
> fxp2
> and the only way I can do that is by using the 'fwd' command.

...

You didn't indicate the model of Cicso's but I've used both
NAT and PAT in Cisco routers.

I'm wondering if you did the NATing in the routers if this wouldn't
help?

Bill

-- 
Bill Vermillion - bv @ wjv . com

More information about the freebsd-net mailing list