General discussion

Locked

Firewall, NAT, Quad Card

By snsdatahub ·
I've got a quad card on a firewall

1st link to my internal segment
2nd link to my DMZ with external IP addresses
3rd link to the Internet
4th link to my databases with Internal IP addresses

Question is... can I allow external users to link to my databases on the 4th ethernet port via NAT?

If so... can that NAT-ed external IP address be part of the subnet range of my 2nd link? I am only given a few public IP addresses and I am unable to subnet it further. The only way is to use oneof the IP address which is currently available from my 2nd link (does this sound confusing)

Can this be done?

I'm using Checkpoint and am wondering whether I should add a route and arp on the firewall after adding the rules for the NAT.

Please advise.

Thanks

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Firewall, NAT, Quad Card

by Greybeard770 In reply to Firewall, NAT, Quad Card

Sounds like it should work. The thing we have had to do with Checkpoint is to have a route with a 32 bit mask for the NATed addresses in the LAN. Of course the 4th link would have to be another subnet than your LAN from the perspective of the REALip address.

Collapse -

Firewall, NAT, Quad Card

by snsdatahub In reply to Firewall, NAT, Quad Card

The question was auto-closed by TechRepublic

Collapse -

Firewall, NAT, Quad Card

by ewen.yw.fung In reply to Firewall, NAT, Quad Card

In technical point of view, you can do this by using Checkpoint static NAT configuration. The highlevel steps to do are:
1) Create a object with IP Address filled with your DB server's internal IP
2) Set the static NAT in this object
3) Public the arp entry in 3rd link, i.e. Use 3rd Link's MAC address to response to the requests to the public address
4) Add a host route in the FW so that the all traffic to the public IP will route to the internal IP of the DB server.

All can use any public address that is routable within the paths.

Just setup exactly what you did in the DMZ (if your DMZ is using NAT as well).

As mention, technically feasible but not recommended in security point of view, unless your DB contains no private/sensitive data.

Collapse -

Firewall, NAT, Quad Card

by snsdatahub In reply to Firewall, NAT, Quad Card

The question was auto-closed by TechRepublic

Collapse -

Firewall, NAT, Quad Card

by snsdatahub In reply to Firewall, NAT, Quad Card

This question was auto closed due to inactivity

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums