multiple nat devices

[watts3000]

I'm redesigning my firewall I would like to know will havig multiple nat devices cause problems. For example I plain on using my linksys befsr41 router an astaro linux firewall and isa as a proxy server.

 

[cmetz]

For generic TCP flows, it'll work fine. For NAT/PAT application assists, you could run into trouble. It depends on what kinds of applications you need.

 

[Kadarin]

With multiple NAT devices you may need to turn on a routing protocol (RIP) or configure some static routes if you need to send traffic across your local subnets.

 

[cmetz]

Astaroth33, RIP is evil. Evil, evil, evil. Please don't do it.

It would probably not be a good idea to have any systems on the network between the "outside" interface of the inner NAT/PAT device and the "inside" interface of the outer NAT/PAT device. It is also important to ensure that there's no overlap between the two different private subnets.

 

[watts3000]

Guys I plain on running my home website which is asp.net based and hits a sql server 2000 database. Also I will be running my exchange 2003 server and soon I will be putting up a citrix fearure release 2 or 3 test box. I plain on testing the citrix box over the web also. Astaroth33 I'm not a networking guru can you tell me why I might need to use some static routes.

 

[Kadarin]

Originally posted by: watts3000
Guys I plain on running my home website which is asp.net based and hits a sql server 2000 database. Also I will be running my exchange 2003 server and soon I will be putting up a citrix fearure release 2 or 3 test box. I plain on testing the citrix box over the web also. Astaroth33 I'm not a networking guru can you tell me why I might need to use some static routes.

Here's a crudely drawn ascii art example:


Internet------> Router 1 <-----> 192.168.1.0/24 <------> Router 2 <------> 192.168.2.0/24

Machines on the 192.168.1.0/24 network point to Router 1 as their gateway, and Router 1 has a default route pointing out to the internet. Machines on 192.168.2.0/24 point to Router 2 as their gateway, and Router 2 has a default route pointing to Router 1. Now suppose a machine on 192.168.1.0/24 needs to access a resource (say an ftp server or a webpage or something) on one of the machines in 192.168.2.0/24. That resource is not in the local subnet, so the computer sends the request to the default gateway, which attempts to send it out over the internet via the default route. A properly configured static route (or dynamic routing protocol like RIP) will make sure the router sends that request out the correct interface, to Router 2.

cmetz: RIP may not be the best protocol, but it is supported by most home NAT boxes and is incredibly easy to set up. My little example above would not be well served by OSPF (though it would work if the hardware supported it).

 

[watts3000]

Thanks for the break down

 

[RideFree]

Originally posted by: Astaroth33

Originally posted by: watts3000
Guys I plain on running my home website which is asp.net based and hits a sql server 2000 database. Also I will be running my exchange 2003 server and soon I will be putting up a citrix fearure release 2 or 3 test box. I plain on testing the citrix box over the web also. Astaroth33 I'm not a networking guru can you tell me why I might need to use some static routes.

Here's a crudely drawn ascii art example:


Internet------> Router 1 <-----> 192.168.1.0/24 <------> Router 2 <------> 192.168.2.0/24

Machines on the 192.168.1.0/24 network point to Router 1 as their gateway, and Router 1 has a default route pointing out to the internet. Machines on 192.168.2.0/24 point to Router 2 as their gateway, and Router 2 has a default route pointing to Router 1. Now suppose a machine on 192.168.1.0/24 needs to access a resource (say an ftp server or a webpage or something) on one of the machines in 192.168.2.0/24. That resource is not in the local subnet, so the computer sends the request to the default gateway, which attempts to send it out over the internet via the default route. A properly configured static route (or dynamic routing protocol like RIP) will make sure the router sends that request out the correct interface, to Router 2.

cmetz: RIP may not be the best protocol, but it is supported by most home NAT boxes and is incredibly easy to set up. My little example above would not be well served by OSPF (though it would work if the hardware supported it).

I am testing Comcast as an alternative to Covad as Comcast is about to blast into the 3000Kb D/L arena.

Therefore, I now have temporary access to two internet connections across two separate routers, a Linksys (192.168.1.1) and a SpeedStream (192.168.254.254) joined by the Asus A7N8X Deluxe (with two Ethernet ports, 3-com & Realtek).

Could you make another of your lovely diagrams to explain how this should be approached?
I assume that two or three configurations are possible, including "shotgunning" the two web connections for a theoretical 4.5Mb D/L...?
TIA

Actually, shotgunning is not what I'm after (although a little experimentation never hurt anyone).
Simply having access to/from all of the machines across the two routers would do fine as long as there were no conflicts with web access from the Asus (or any of the others, for that matter).
PS Comcast connects with TCP/IP and Covad uses PPPoE over TCP/IP