IGNITe/400 Mailing List Archive Entry
Bob,

Another option that I overlooked is to simply use just the 156.x.x.x
addresses for web serving and have the internal users access the server
through the firewall as they would any other server on the Internet. The
difference would be that they wouldn't actually go out to the Internet
since I assume that the web server is in the same subnet as the nonsecure
port of the firewall. Again, if the firewall is down your internal users
can't access the web server and I don't know if this is acceptable or not.

Just a thought,
Rod





ign_list@ignite400.org (IGNITE400 MEMBERS LIST) on 02/05/99 12:14:26 PM

Please respond to ign_list@ignite400.org

To: ign_list@ignite400.org (IGNITE400 MEMBERS LIST Mailing List)
cc: (bcc: Rod L Davis/RyTE/US)
Re: Multi-Home & V4R3 NAT




Bob,

If I followed the network correctly it seems to me that options 1 & 3 are
basically the same with respect to HTTP traffic. They work fine, but yes
if the firewall goes down your out of business. I personally like option 2
but haven't yet had the time to test it. Every time I sit down to do it
something else comes up. :( I should have it running within a couple of
weeks but that doesn't help you now.

While your at it though, you should probably implement packet filtering on
the AS/400 (if you haven't already) just out of general paranoia. The hit
to the AS/400 is supposed to be next to nothing and it's one more road
block in the way.

Rod Davis





ign_list@ignite400.org (IGNITE400 MEMBERS LIST) on 02/05/99 10:06:00 AM

Please respond to ign_list@ignite400.org

To: ign_list@ignite400.org (IGNITE400 MEMBERS LIST Mailing List)
cc: (bcc: Rod L Davis/RyTE/US)
Multi-Home & V4R3 NAT




All,

I have an interesting multi-homing situation that I could use some help
resolving.

I have an S10 server that has a Token Ring and Ethernet Adapter. The TR
side is connected to a lan/wan and the Ethernet side is connected to a DMZ
segment with the Internet router and a firewall (which restricts user
access
between the lan/wan and the internet).

The S10 runs three webservers, SMTP, & POP. The webservers are configured
to run on ports 80, 8081, and 81 respectively. We are using 141.11.20.58
as
the IP for the token ring and 156.96.80.4 as the IP for the Ethernet.
Since
NONE of our servers are multi-homed, an internal user can access the web
servers via 141.11.20.58 and an external internet user knows the server as
156.96.80.4. Since none of the servers are multi-homed, we have had no
problem with this configuration.

Now, the problem. We now have a need to host another site with a new
domain
name which must map to a new IP address. Public address: 156.96.80.70.

As I see it, if I turn on multi-homing (I/Net Commerce Server/400) and BIND
SPECIFIC on IBM's HTTP server then the server will bind to the port its
been told to bind to on the IP address that it finds a) in the AS/400's
host
names table, or DNS.

This means that if the server finds the 141.. the server will bind to that
address and my INTRANET folks will be extremely happy, but my INTERNET
folks
will be extremely unhappy since the 156.. address would not be bound to
anything.

I am thinking that I have two possible solutions to my woes here:

1) Move the AS/400 behind the firewall (not a great idea IMHO) and use
Network Address Translation on the firewall to with the AS/400 knowing only
the internal IP addresses. I've done this an I know it works, but the
AS/400
then is dependent on a pc based firewall. The whole site crashes and burns
when the PC or IPCS card fails.

2) Enable the new NAT support on V4R3 and see if the 156.. address can be
translated to the 141 so that the servers are all associated with the
141...
internal addresses which will in the future become 10...

3) Use the firewall's NAT support so that 156 traffic is translated to
141... equivelents and routed to the 400 which only knows 141 addresses?

Option 3 is the easiest, has anyone tried option 2 using the native OS/400
NAT support in V4R3?

Bob C.






Posted by  Subject  Date 

Return to the Mailing List Archive Page
Click to return to home page
© Copyright 1999 by IGNITe/400
This page last updated Sat, 21 Aug 1999 16:41:00