RE: [FW1] can this work? internal NAT to DMZ then external

Thu, 29 Jun 2000 11:58:53 -0700 


A few issues.

> This firewall was not set up using best practices. On the most simple
firewall, Public/Private/DMZ, typically one would leave all users
internal(private), place servers that need to be segmented from everyone on
the DMZ, and leave all public addresses external. NATTing would be done
where needed.

I would suggest (based on your discussion), that you move the database
server to the DMZ and make policies to protect it from all other segments.
Do this with all critical servers, and along with your NATs, restrict down
to the service level.

Thomas Poole

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 29, 2000 6:53 AM
To: [EMAIL PROTECTED]
Subject: [FW1] can this work? internal NAT to DMZ then external



hi all guru,

I had a situation here, don't whether will this work, and I had not enough
resource to test it out..please help.

The situation is  it had three zone, External, DMZ and Internal.
The DMZ and External Zone are all using real IP address without any NAT.
Then I
had a Database Server in the Internal Zone when need to NAT to the IP range
in
the DMZ. So wonder this mapping work?? and where so I publish my NAT
address,
should I do on the DMZ interface,? if i do it not the DMZ interface will the
outside world able to acess the server?? which I intended.

many thanks in advance.


chiam









***********************************************************
[This e-mail is confidential and may also be privileged. If you are not the
intended recipient, please delete it and notify us  immediately; you should
not
copy or use it for any purpose, nor disclose its contents to any other
person.
Thank you.]
***********************************************************




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to