Need to add NAT to IPCS Firewall

On Thursday, March 11, 1999, 02:33 PM, John L. Clark wrote: We are an OS/400 V4R3 dual homed IPCS based firewall user that needs to add NAT to our firewall to permit users to access remote hosts. We are currently using the firewall to route email through, do filtering, and proxy serving for HTTP and FTP. I have a basic understanding of the advantages of NAT already, but have not yet dug up the details of how to implement it. I have my pool of available IP addresses and am looking for anyone who had a similar configuration and did the switch to NAT already to see if there are any “gotchas” or any specific directions that will guide me through this change without too much dramatics. Thanks! JC We have Cisco routers and firewalls so I don't know about the IPCS firewall. However, we use NAT. I have always used NAT when I setup a site on the Internet. NAT allows the number of users to exceed the number of registered addresses. At our corporate headquarters we have a class c registered address so we have 255 registered IP address. However we have some 400 PCs and users on the Corporate network. They could all use the Internet at the same time, even though we only have 255 registered addresses. There are 3 blocks of addresses never registered. They are: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 You set your internal network numbers to unregistered numbers in one of these 3 blocks. I usually use the 10 numbers. Inside our network, everything starts with the number 10. When someone wants to access the Internet, the firewall translates the 10 address to one of the registered IP addresses. If all of the registered addresses are in use, the firewall will share addresses, using different port numbers for the client. At our site this never happens, but it is a feature of the Cisco equipment. In addition to the Internet, we have frame relay and leased line connections to 13 other companies that are trading partners. Some of these other companies use the 10 number for their internal networks and that conflicts with our numbers. Some of these companies are using registered numbers that they do not own. We use NAT to translate the addresses. JHicks@SUZ.com

Need to add NAT to IPCS Firewall

On Thursday, March 11, 1999, 02:33 PM, Ananth Raghuraman wrote: Iam a student trying to develop an intranet for the Computer Science dept. I would appreciate if you help me with the following question: I have some HTMl pages and subdirectories in the QOpenSys file system. I want for the general public to be able to view them, by typing in the URL in this format: href="http://IP"> href="http://IP">http://IP address/subdirectory name/file name.html. I tried all means to get it working by giving autorization to the QMHHTTP profile, using the "Administration and Configuration Forms" of the AS/400 Tasks page etc., but nothing worked. I even edited the Configuration file to include the statement, "Pass / /inet/*" , to grant access to the subdirectory inet (Using WRKHTTPCFG command), but even that didn't work. If you can't answer the question, please forward it someone who can. Thanks Ananth If you are placing html files in a subdirectory of QOpenSys, you will have to do one of two things: If you don't mind the URL being href="http://IPaddressort/QOpenSys/subdirname/file.html"> href="http://IPaddressort/QOpenSys/subdirname/file.html">http://IPaddressor t/QOpenSys/subdirname/file.html, do the following: 1. change your PASS directive to /QOpenSys/subdirname/* or, if you want the URL to be ort/subdirname/file.html"> target=_new href="http://IPaddressort/subdirname/file.html">http://IPaddressort/subdirn ame/file.html, you will have to do the following: 1. (Same as #1 above) 2. Add a MAP statement that reads MAP /subidrname/* /QOpenSys/subdirname/* Remember, that case does matter and you may have to place multiple MAP statements in your HTTP configuration. Also, if you are not using the default port (80 I believe) you will have to specify the port on the URL in your browswer. I would suggest making your own directory in the root structure of the IFS instead of placing sudirectories inside of QOpenSys. From what I understand, QOpenSys is a general purpose directory and giving access to it might not be the best bet. At our shop we have started creating directories named things like "HTML" or "WEB" in the root directory. This way we don't have to code as many MAP directives and we are sure that access to the other directories is not compromised. HREF="http://prairie.lakes.com/~bvstone/"> SRC="http://prairie.lakes.com/~bvstone/images/sig.gif">