Firewall/NAT

Hi,

Hoping to find an example of how this is done.  I have been trying for 2 days to get this working but am missing some vital information.

Scenario:
We recently purchased a new hospital and would like to get them limited access to the larger corporate structure as soon as possible.  Our corporate wan uses a 10.0.0.0/8 network addressing range for approx 25 sites.  The new hospital uses a single class C 192.168.0/24 network.  Unfortunately we connect to a vendor who also 192.168.0/24 and we have routes on our network to ensure traffic is delivered to the vendor.

Solution:
I would like to install a M0n0wall firewall between the 10.21.0.0/16 network assigned to the hospital.  The new hospitals has assigned me 10 IP addresses 192.168.0.220 to 192.168.0.230 that I can use.  I have assigned the WAN interface to 192.168.0.220 and the LAN to 10.21.0.1. 

The intention is to then setup 1:1 NAT rules to allow users on the Hospital (192.168.0.0/24) network to access the intranet server (10.0.0.50) on the corporate WAN by browsing to 192.168.0.220.  The traffic will need to be NATed to a 10.21.0.0/16 address to ensure it can travel across the corporate WAN.

Any assistance would be greatly appreciated.

Aaran

I believe that you have the correct idea with the NAT, however you will need the interfaces the other way round, with the WAN on the Main net and the LAN on the Class C subnet.  Then you create a 1:1 NAT for each IP address that will be used on the LAN side.  However, if you do not need much access to the other subnet, you might consider just using simple NAT.

it is right that the m0n0walls WAN interface has to be in the corporate wan because this is the only way the "address traslation" cause of the two 192.168.0/24 nets can be maden.

but i think he does not have to create a 1:1 Nat roule for each IP address on the LAN.
a simple mapping like this would do the same thing faster:
Iface: WAN
Ext. subnet: 10.0.X/24
int. subnet: 192.168.0/24

Thanks for the tips.  The issue I have is I didn't want to have to change routes on the remote site (now the LAN interface).  I want to make the web server 10.0.0.50 for example available on the LAN interface via a 192.168.0.221 address.

If this was the WAN interface then I would user Server NAT.  Is there a way to use the 192.168.0.221 address and map/nat it to a 10.0.0.0/8 address?

Thanks.

Aaran

Hmm i dont think this is possible.

But why do you want to map the LAN adress 192.168.0.221 to 10.0.0.50?

from within the external LAN you can access the 10.0.0.50 without any problem.


PS: there is a very dirty way that you should only use if you realy need it and it only works if the servers inside your network dont need acces to the IP addresses from the vendors net:
you could assing the webserver for example the 192.168.0.221 and in monowall add a static route:
iface: LAN
destination: 192.168.0.221
gateway: 10.0.0.5

yes, this is a very dirty and ugly way