[Veritas-bu] nbu through a firewall

Hello

With our Cisco PIX running NAT, I requested that the network team add specific
NAT commands such that packets sourced from my master and media servers would
get peered to specifc public addresses.   Then it was only necessary to place
entries in the client's local hosts table such that the names of the master and
media servers would map to the "false" public IP addresses outside of the
firewall.   Since by policy all outgoing traffic was allowed, no changes were
needed for server directed actions but the incoming control ports had to be
opened for the client's to be able to initiate actions.   Fortunately, the data
channels seem to be server initiated at least so far,  I would've liked the
Veritas manuals to be more specific about their networking requirements.   To
reduce the load on the firewall, I run the classes for clients on the other side
with the number of concurrent jobs set to 1, of course I could also throttle
down the bandwidth and probably should, there always seem to be less problems if
you're not so demanding of the network.

Note that the Cisco concept of NAT where the internal addresses are peered with
an external either on a one to one basis or dynamically to a pool is what makes
this possible.   The usual concept of NAT where the private subnet only uses one
external address is akin to Cisco's PAT concept.

It was necessary for me to surf to the Cisco documentation, read them and
guesstimate what the NAT command should be cause the network team wasn't
prepared to put much effort into researching the issue, however they were
willing to type in something that I provided verbatim.   I consider that kind of
team play, administering with boxing gloves on.

Note, I thought it was RFC-1918 that recommended the reserved use of selected
subnets for private internets not RFC-1597, though perhaps 1597 was superceded
by 1918.   Also, wasn't RFC-1918 canonized as BCP-5?   Remember, RFC stands for
"Request For Comment" whereas BCP stands for "Best Current Practice".   Of
course, that's all from memory...

Also note, I've encountered some problems with selected VPN products when
tunnelling from my home RFC-1918 private subnet to an office's private subnet
when they've used all of the RFC-1918 subnets at the office.   The problems seem
to be with VPN products that rely on establishing static routes on the client
such that the office's internal subnets are routed through the VPN, however if
the client itself is in one of the subnets to be routed albeit still outside the
office, it gets confused.   Rumour has it that Cisco's VPN client can address
such VPN through two NAT's issues but I don't see how unless they pop up to
layer 4 for the routing decision or route by specific hosts.   Does anyone else
have experience with VPN between two private subnets?   Of course good IT
departments would refrain from using the class C private subnets and stick to
subdividing the class A and class B for their corporate environments so that
their employees can establish class C private subnets at home and still tunnel
in to work.   Don't mind me, networking people who have never been sysadmins get
on my nerves, why companies have people in charge of firewalls that do not
understand what they are firewalling is beyond me.

Regards,
John I Wang
Sr. Systems Engineer
Steverson Information Professionals

---
Enron Broadband Services
3 Allen Center 3AC872e
ph (713) 345-6863

The phone works now, they fixed the designation.



|--------+----------------------->
|        |          fx AT veritas DOT co|
|        |          m            |
|        |                       |
|        |          02/23/01     |
|        |          12:18 PM     |
|        |          Please       |
|        |          respond to fx|
|        |                       |
|--------+----------------------->
  >----------------------------------------------------------------------------|
  |                                                                            |
  |       To:     veritas-bu AT mailman.eng.auburn DOT edu                      
      |
  |       cc:     (bcc: John Wang/Contractor/Enron Communications)             |
  |       Subject:     Re: [Veritas-bu] nbu through a firewall                 |
  >----------------------------------------------------------------------------|



> From: Dana Bourgeois [mailto:Dana AT slamdunknetworks DOT com]
> Sent: Friday 16 February, 2001 17:49

> Have you gotten this to work?  I understand the theory of why
> you think it would work but if you haven't tried it yourself then until
> someone reports that they have it working, I would rather overgeneralize
> about NAT than make assumptions.

 i try to write only things i'm sure about ;-)

 i've set up some weeks ago two clients across a Cisco PIX doing dynamic
NAT - this coul'nt work.
 so we've set up two static mapping for those clients. clients were
seen from the media server with different IPs than the "real" one
(clients have public IP addresses, but were seen from the media server
with private RFC1597 address, ie. 192.168.x.x.). i don't remember
what i put in the hosts files on server & clients, i had to do
some testing before finfing the correct combination - bpcd &
bprd logs in this case.

 we still had to allow the usual ports in order for backups
to run.

 Amicalement,
             fx

#include <std_disclaimer.h>

--
    fx AT veritas DOT com        | Serious error. All
François-Xavier Peretmere | Shortcuts have disppeared.
 http://www.veritas.com/  | Screen. Mind. Both are blank.

_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu