X-no-Archive:yes
I have an apparently naive question about a router performing NAT, 'outside'
a firewall. The network engineer I am working with has assured me that he
knows what I am thinking, and it won't work, although he hasn't let me
explain what I am thinking (having mind-reading network engineers is a great
time-saver, but tough on the auditing requirements).

We are connected to a site, that requires that all 'outside' traffic go thru
their firewall, and that any access thru this firewall must come to the
firewall with an IP address assigned to a domain. When we connected our site
to their site, they asked to put their own router on the other side (our
side) of their firewall. All traffic between these two sites passes thru
this router and firewall. It turns out that we now want internal addresses
here to talk to an internal address there, and we are using overlapping
internal IP addresses (I know how to spell RFC 1597, and that's about all).
It seems to me that if their router would translate our internal address to
an assigned IP address before it reaches their firewall, they should be
happy. Between their router and their firewall, one would only see assigned
IP addresses. So what am I missing, or misunderstanding?

our LAN+--[router] --------- [firewall]-+their LAN
|                                        |
internal<->xlate<->assigned<->xlate<->   internal

Greg Stigers
http://www.cgiusa.com