> Message: 7
> do you have one centrally located backup server?  or multiple backup
> servers, one per vlan?  many people are doing hosting and other types of
> customer transactions on internal servers, so I can see why people
restrict
> ports.  people use nat quite a bit and hide nat behind the firewall or
> double layer it....  firewall->router->than internal hosts.
> my feeling is that unless you have tons of security concerns, network
design
> issues, customer data issues, you should be able to backup a firewall with
> out being too restrictive.  the firewall also needs to be configured
> correctly.  if it allows packets that have source addr's that are internal
> hitting its external interface, and they are allowed to pass....  the
> firewall has real problems.  I have seen people with issues like that, and
I
> can understand why they restrict internal servers heavily...

The Security requirements should drive the architecture, not the other way
'round
so some places will have to deal with NAT, multiple firewalls and stuff.
Reality
bites.

I couldn't get Netbackup to work through NAT.  Someone else said he could
get it 
to work through 1-to-1 NAT.   Since you are trying to backup the firewall
itself, 
NAT shouldn't enter the picture AS LONG AS YOU ARE CONNECTING TO THE LOCAL
INTERFACE.
I can't emphasize enough how screwed up the situation can get if you are not
trying
to connect to the interface that is on the same network as your backup
server.  

If you are using a VPN tunnel to access the firewall, well, good luck, Dude.
That's
bleeding edge for sure and you will need to do some testing and monitoring.





Dana Bourgeois
Slam Dunk Networks 
Digital Mechanic & Network Janitor
1.650.632-5543
1.650.996-5687  [cell]