Keep in mind that NAT gateways need to reply to Address Resolution Protocol (ARP) requests for NAT-mapped global addresses under their administrative authority. In the case of such pool addresses, the outside gateway interface and the access router's inside interface share the same broadcast domain, ARP is used, and the NAT gateway is required to reply on behalf of the static address pool. This behavior can be accomplished by adding static ARP entries or, even better, alias interface addresses. Most of the time, the firewall/NAT software takes care of this by itself, though.
In the case of ordinary routing such as in Figure 15-1, remember to add explicit routes for NAT pools on screening/access routers toward the NAT engine. In that case, the pool is routed, and this is no longer an ARP issue. On some implementations, however, it might be necessary to add an explicit route for static mappings from the outside to the inside address; others handle this automatically. Now you know the two showstoppers to look out for in case of problems.
Redirection (Port Forwarding/Relaying or Transparent Proxying)
Port forwarding redirects incoming connection requests to the NAT gateway to an arbitrary address/port. In certain configurations (port rewrite), this is referred to as transparent proxying. Also keep in mind that under certain circumstances (in/out on the same interface), it might be necessary to disable Internet Control Message Protocol (ICMP) redirects (sysctl -w net.inet.ip.redirect=0); otherwise, it might interfere with what you want to accomplish.
0 comments:
Post a Comment