Specific NAT question.

dlstrout

I have a specific need to allow clients of a private net (connected to OPT3 w/ 10.10.10.0/24 reserved DHCP addresses) to connect to the LAN net (145.191.112.0/20 > static addresses via DHCP reservations).  BTW only a small supernet of address are attached to the pfS box (145.191.114.0/23).

The issues is that there are servers in the LAN that the clients of the OPT3 network need access to and these servers REQUIRE 145.191.x.x address to access them.  These admin will NOT allow private address space to access their servers (tcpwrappers, iptables and other SELinux methods).  They are not willing to budge on this ….. so my thinking is that I can set up a NAT pool to NAT the OPT3 addresses (10.10.10.x) to some open LAN address space (145.191.x.x).

I have tried slicing off a very little subnet 255.255.255.242 of the OPT3 net and doing some 1:1 NAT with these addresses and those of the LAN in the same way, but I have had very little luck.

QUESTION I
Is this type of NAT setup even possible?

QUESTION II
Do the subnets have to match on either side of the NAT schema?

QUESTION III
I am using 1:1 because I want to control which OPT3 clients have access into the LAN (is this correct thinking)?

QUESTION IV
Do I have to get the admins of the routable LAN net to carve out a specific subnet for me to use the 1:1 NAT schema?

QUESTION V
Do I have to use VIP's and if so what type (Proxy ARP, CARP or plain VIP)?

QUESTION VI
Will I have to disable AON (automatic outbound NAT) and create manual outbound NATting to get this configuration working?

Thanks for you hlp in advance!!

sullrich

Please do not cross post.  This was sent to the mailing list as well!