Has anyone done this before, and how well does it work?
-First tier has Internet-facing VIP addresses with 1:1 NAT relationships to VIPs that reside on the external interfaces of the second tier firewalls .
-That Internal tier's VIP addresses all perform some kind of port forwarding for FTP, HTTP, or other protocols, and also some proxying.
It looks this:
-Second tier FW-
1:1 Nat from VIP1 to VIP2
VIP2, does port redirection for HTTP
How well does that work? I'm concerned with the double-NAT part in particular. Can any of y'all see any problems there?
I run a similar setup at home, but don't NAT on the internal (second) firewall. You can route on that one and avoid all the issues of double NAT.
Can you give me an example of issues I might run into with the double-nat stuff?