L. Mark Stone wrote:
I need only static NAT.
Yes, I understood that ;-) ...
I want to move the web servers behind the firewall, give them private IP addresses (which makes updating their content from the LAN much easier), and have the firewall forward traffic destined for their public IP addresses to the servers which will have (going forward) only private IP addresses. In
There are user level gateways for just that purpose too. I guess when it comes to really high bandwidth webservers IP NAT rules but it's just another option. Look for package "rinetd".
other words, have the T-1 DSU/CSU connect to the WAN ethernet card on the firewall, have the LAN ethernet card on the firewall plug in to the switch, and then have the web servers and the rest of the internal network connect to the switch. (We may or may not subnet the web servers.)
We do this with Cisco PIX firewalls all the time. It's easy, and there's only one firewall to configure.
Whether or not it's good security policy to have internal machines (which the webservers are in this setup) exposed in such a way or if you should add another firewall to have them on their own network between the firewalls is another topic... Michael