>-----Original Message-----
>From: Ben Nagy [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, February 20, 2001 4:45 PM
>To: 'Jim Johnson'; [EMAIL PROTECTED]
>Subject: RE: To NAT or not to NAT in the DMZ, that is the question.
>
>
>If you're using a PIX, then I'd do it the PIX way - NAT. It's a complete
>pain to try and configure PIXen without NAT and the documentation
>recommends
>against it.
>
>Unless you have a very specific reason for not using NAT (eg a protocol
>that
>is not PIX nat-able) then it's usually best to follow the recommendations,
>if only for supportability.
>
>BTW: Standard PIX philosophy would see your DMZ hosts being advertised on
>the trusted LAN as static NAT translations - ie in the trusted IP range.
After thinking about this a couple days I've managed to confuse myself
again. Do I understand correctly that it is best (PIX) practice to use
private addresses in your DMZ, and then statically nat them to both the
Internet AND your internal network. (My internal network already uses
private addresses and is nated to the Internet.)
Ben pointed out earlier that there are (or were at least) problems with the
PIX nat0 command. Assuming that there is no problem turning off nat for the
DMZ interface I'm leaning towards my original gut feeling of using valid
public IP's in my DMZ. I wouldn't nat to or from the DMZ to either the
Internet or my internal network. It just seems simpler to not nat if you
don't have to.
I can see 4 different ways I could address my DMZ as I show in my list
below. I'm leaning towards option 2. Any more thoughts and/or comments on
this?
1. Use public DMZ addresses and then NAT just to the inside
2. Use public DMZ addresses and don't do nat anywhere
3. Use private DMZ addresses and nat just to the Internet
4. Use private DMZ addresses and nat to the inside and Internet
TIA,
Jim
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
