RE: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses

[Carl E. Mankinen]

Why would you want to use NAT on DMZ devices? If you are running NT and you stop the firewall services (or they crash for instance), then it will route all packets to those DMZ servers regardless of rulebase etc. (obviously, the fw-1 service is not controlling packets and the OS is acting as a dumb router.)   If you NAT the DMZ legs, then in the case of your firewall services failing they will not be vulnerable.   I haven't really seen any performance problems at all. FW-1 seems amazingly efficient for what it does. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of CryptoTech Sent: Saturday, November 11, 2000 9:20 AM To: Brian Burns Cc: [EMAIL PROTECTED] Subject: Re: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses Speed.  Firewall load.  Latency.  NAT modifies every packet involved in the rule, and thus add latency.  If you are running 100mb or higher, you probably don't want to use nat HTH, CryptoTech Brian Burns wrote: I am doing a redesign of our existing network and have been asked to use private addressing with NAT. I am not pro/against it - but I have always used valid addresses on my DMZ servers. So... why would one want to use NAT on your DMZ devices? Comments? Brian