Adam Piasecki wrote:
> Vincent R Ragosta wrote:
>> Okay, so I know enough about networking to shoot myself in the foot.
>> So, before pulling the trigger, I wanted to run this by more
>> knowledgeable individuals than I.
>> I'm trying to secure my small business's network more than it currently
>> is. Right now, I simply have a Cisco 871 that is using NAT to service
>> the entire LAN. But, we have been allocated a x.x.x.x/29 network, so I
>> have a couple of static IP addresses to work with. As a result, I was
>> wondering if it would be possible to have a topology similar to this:
>> (bridged) (Inbound NAT)
>> T1-->Cisco 871 (IP filter)---------->MonoWall--------------->LAN
>> | (1:1 NAT)
>> So, essentially I want to use the Cisco 871 as a simple IP filter and
>> have 3 interfaces on the MonoWall firewall. One interface would be
>> bridged to the Cisco, one interface would be servicing the LAN using
>> inbound NAT, and the last interface would be hosting public servers
>> using 1:1 NAT. Is this configuration possible? Is it possible to
>> allocate one public IP address to service the LAN and several different
>> public IP addresses to handle the DMZ? If this is possible, how (at a
>> very high level)? Would I need to further subnet my public IP address
>> allocation across the LAN and DMZ interfaces?
I have a setup like this. I have /29 subnet and my connection is made via
So I configured my modem as LLC bridge with VPI VCI values,
Then I had m0n0wall like this
WAN : pppoe
LAN : Captive portal
DMZ : holds the public IPs and act as gateway for the /29 subnet
Which I connect a web server holds domain name.
In m0n0wall 1:1 NAT I added the subnet /29 in the external and internal on
wan interface, this disabled NAT for that subnet.
After that I needed to do NAT on one of the public IPs to publish a service
on a device connected to LAN interface,
So I changed 1:1 NAT and only disabled NAT for the web server IP that made
the 1:1 rule looks like this
Interface external IP internal IP
WAN 196.xx.xx.xx/32 196.xx.xx.xx/32
And in the same time I could use another IP of the /29 subnet in server NAT
And do all my special NAT on it.
Note: sorry Neil for the wrong replay to your address, I always miss it up.