NAT, firewalls and Robert Bays

I was doing a NAT and firewall configuration on one of our products for a beta site yesterday. The site required some static NAT rules filtered through a firewall. Having never personally done static NAT on the Vyatta router/firewall, I thought I'd give it my best shot and use Robert as my safety blanket.

About halfway through the configuration, I had the static configuration done, but it wasn't working. It then occured to me that the static NAT configuration that I was doing required a public IP address that was different that than IP address assigned to public facing Ethernet port. In other words, the public IP address on the router/firewall was x.x.x.1 and I was making a static NAT to x.x.x.2. I thought that the router/firewall would see the static NAT mapping to x.x.x.2 and automatically know to answer ARPs and then subsequently NAT the packets properly. But, just to check myself, I went over to Robert, explained the configuration to him and asked his opinion. He said, "It should work" or "That sounds right" or something to that affect. I should also mention that this was arond 1pm.

Fast-forward to about 5pm. I'm now bleary-eyed after staring at NAT and firewall rules. I tuck my tail between my legs and go over to ask Robert for his help on the configuration. He says to me with a chuckle, "I kind of was hoping you'd figure this out on your own..."

Fast-forward to about 6:30pm. Robert has been plugging away at the configuration for about 90 minutes when he says, "Wait a sec - let's add x.x.x.2 as a secondary IP address on the public facing Ethernet port." When he does that, everything starts to work just fine. At which point I bring up to him that this was the exact question I had asked him back at 1pm. And Robert replies with a laugh, "Yes, but I didn't really hear you before."

So, two lessons here: 1) You need to define the IP address for a static NAT on an interface and 2) make sure Robert can hear you when you ask him a question. :)