[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

is it possible to NAT & BI-NAT on aliases on a NIC?


I have a weird network configuration. My client has a private WAN connection provided by the local government. There are two different parties that are using the WAN to provide services to the client. One has put their own Cisco PIX to protect their servers. The other connection has no firewall. Neither of these can be trusted, so I want to put them behind an OpenBSD firewall. The Cisco 1721 providing the WAN has a "generic" set of firewall rules that the government isn't willing to change (20,000 sites on the priate WAN, understandable to not want custom configs at each site!).

To get traffic out onto the WAN, I need to NAT it to very specific IP addresses. The catch is there are there are two different IP addresses they need the traffic NAT'd to. It is based on the source IP and destination IP.

I THINK the way to do this is to have an alias on the interface, and have the pf.conf do the NAT'ing appropriately. The alias is required so that the returning packets will be accepted by the correct interface.

So, is it possible to do a "binat" and a "nat" to addresses that are interface aliases? I'm still at the "on paper" design stages, so I can't test... the new firewall is not even onsite yet, so I do not have "hands on".

And yes, I know about VLAN's, but that's not the way that the client wants to go...

Here is an attempt at some ascii art!

+-----+ +---+
| O | (INTB) +----------------| | S | +-------------------+
| p |-----------------| Cisco PIX 506E |--| W |--| Cisco 1721 Router |-T1 to WAN
| e || | I | +-------------------+ A.B.C.D
| n | | T | E.F.G.H
| B | +--| C | Default Gateway I.J.K.L
| S | | | H | M.N.O.P
| D | | +---+ Q.R.S.T
| | |
| 3.7 | |
| C | |
| u | (INTC) |
| r |----------------------------------+
| r |alias
| e |alias
| n |
| t |
| |
Internal Network

Routes as follows: Traffic from 192.168.11.A/32 (via INTD) going to A.B.C.D/32 through INTC BINAT to Traffic from INTD to E.F.G.H through INTC NAT to Traffic from INTD to I.J.K.L through INTC NAT to

Traffic from INTD going to M.N.O.P through INTB NAT
Traffic from INTD going to Q.R.S.T through INTB NAT


PS. I know INTC could just have (or 29) as it's IP, but I want to keep things consistant

Visit your host, monkey.org