RE: strange firewall setup

[Martijn Berlage <MartijnB () allieddata nl>]

Looks to me like the setup of a LanOptics Guardian firewall by using their
NAR (Network Adress Retention). This saves you from having to alter routing
tables and adresses at your site and/or router.

You guessed right as to how it's set up. Seen from the LAN, the firewall
takes the position of the router. The ARP-processor that comes with the
firewall software sets up the machine to ARP as the existing router. It
works, but makes my skin crawl somehow. :-)

See http://ntguard.com/ for some general blahblah about this. (Emphasis on
general. In my experience, NetGuard/LanOptics is not very generous in
supplying decent info.)

Cheers!
Martijn

----------
Martijn Berlage
MartijnB () Allieddata nl
Network Engineer
Allied Data Technologies
----------
'We have no choice in what we are. Yet what are we,
   but the sum of our choices.'   --Rob Grant
----------


> -----Original Message-----
> From: Arc Angel [mailto:fwizlist () yahoo com]
> Sent: Wednesday, July 07, 1999 9:16 PM
> To: firewall-wizards () nfr net
> Subject: strange firewall setup
>
>
> I was at a customer site recently doing something only vaguely related
> to their firewall, and was totally baffled. I don't understand why it
> worked. Naturally, me being the consultant, I didn't want to ask them.
> It looked a little like the diagram below. IP addresses have been
> changed; onsite they are legitimate addresses.
>    |---------------|    |-----|   
> |----------------------------------------|
>    | router        |    |     |    |          Cisco Pix 
> Firewall       
>     |
>    | 192.168.0.1   |----| Hub |----| Ext IP Unknown   Int IP
> 192.168.0.20   |
>    | 255.255.252.0 |    |     |    |    (by me)           NM
> 255.255.252.0  |
>    |---------------|    |-----|   
> |----------------------------------------|
>                                       |
>                                    |-----|
>                                    | Hub |
>                                       |
>                           (~~~~~~~~~~~~~~~~~~~~~~~~~~~)
>                           ( Internal network          )
>                           ( 192.168.0.0:255.255.252.0 )
>                           (~~~~~~~~~~~~~~~~~~~~~~~~~~~)
> In other words, everything on the entire network was using
> 192.168.0.0/22, including the router *and* the firewall. But,
> physically, the router was on the other side of the firewall. And the
> router (192.168.0.1) was the default route for all the hosts on the
> internal network. How could this work? Would the firewall have to ARP
> as 192.168.0.1, but then know to forward?  Thanks, wizards.
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com