It depends on what you are trying to do. If you want the servers in your
DMZ to publicly accessible you will need to either use routeable addresses
in your DMZ or configure a static NAT entry for each server. If these
NAT'd addresses are in the same IP subnet as the external IF of the
firewall you will also need to configure the firewall to proxy ARP for the
Static NAT IP's. Finally You would also need to configure static host
routes for the routeable IP's pointing to the corresponding RFC 1918
(192.x.x.x) addresses. NAT will also add to the processing load on the
firewall since it will add the translation to whatever packet processing is
going on.
If you use routeable IP's in your DMZ the administration will be simpler
and it might improve firewall performance. I don't know about the security
aspects though.
-PaulK
At 10:26 AM 5/24/2000, Erin Young wrote:
>I am building a DMZ comprised of 2 FW-1 firewalls. Should I use private or
>public addresses in the DMZ. In other words, I was going to setup my DMZ
>with public address on the external nic of the firewall facing the
>internet and have private addresses on the internal nic.
>
>The private addresses in the DMZ would be different from the private
>addresses in my internal network. Therefore, the external nic of my
>Internal firewall, the one connected to my private network and the DMZ,
>will have addresses of the DMZ.
>
> (Public IP)
> x.x.x.x
> External Firewall
> 192.x.x.x
> *
> *
> DMZ*****Server(192.x.x.x)
> *
> *
> 192.x.x.x
> Internal Firewall
> x.x.x.x (Private IP)
>
>
>The management server will be in my private network. Will this cause a
>problem with pushing out policies and putkeys?
>
>What might be the pros and cons of this config?
>
>Also, can anyone let me know of any good sources of how to build a secure DMZ?
>
>________________________________________________________________________
>Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
*********************************************
Paul Keser
Network Security Engineer
[EMAIL PROTECTED]
tel: 415.351.4037
fax: 415.474.6017
ShopExpert.com
1375 Sutter Street, Suite 400
San Francisco, CA 94109
*********************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
