How to NAT to address without an interface

  • My provider gave me 2 sets of IPs:

    • first set is to connect to ISPs network, let’s call it SetA
    • the other set is for my internal machines, let’s call it SetB

    Unfortunately, I have 20+ machines, and SetB is only /29, so not much use. Since it’s 3rd or 4th provider in last 3 years, I’m also not that fast to change my network config for each and every one of them - so I stick to plain old NAT, and all is well in the world. In other words, all my machines have private IPs, privSet.

    Except for the fact that ISP lets me set revDNS on SetB, but not on SetA, and I could’ve really use revDNS since I’ve got an Exchange server on privSet, which is dual-homed (via NAT) for two ISPs (the other one let me setup revDNS properly).

    Since the network is setup on SSG140, my current config is: single virtual router, single external interface configured to use SetA address, VIP set to some services on internal machines (Exchange’s SMTP included); internal network NATted.

    What I’d like to achieve: map one address (or just a port, really) from SetB to Exchange server.

    The way ISP thinks about it is that I should have external router - SetA on the outside, SetB on the inside - and then internal one, doing NAT (if needed) - SetB on “the outside”, privSet on “the inside” - which is simple, but I don’t want to use another device in there. I thought of using virtual routers on SSG - so I’d have two routers, “intRouter” and “extRouter”: extRouter would have two interfaces assigned, intRouter a single interface; extRouter would connect to ISP and (using cross cable) to intRouter; then I can do whatever I want with intRouter; only downside is that I waste two physical interfaces on that solution. I need something that’ll happen “internally”.

    Do you have any ideas how to solve it, please?