Ian,
Actually, you don't have to publically address your outside firewall
interface at all(provided your firewall is not terminating your Internet
circuit.) If your firewall simply talks to a border router (which is
usually the case), then it's quite easy to set up a privatly IP'd
transport network between the firewall and the router. Then you can use
all of your public space in the DMZ. I wouldn't recommend that for all
situations, but it's definitely do-able (I have around 50 firewalls and
most of them are private externally and internal, with public DMZ
segments.)
Just a thought. Hope it helps!
Jason
>
> RE: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses
> Date: Mon, 13 Nov 2000 10:15:12 -0800
> From: Ian Campbell <[EMAIL PROTECTED]>
> To: "'Frank Darden'" <[EMAIL PROTECTED]>, "'CryptoTech'" <[EMAIL PROTECTED]>,
> Brian Burns <[EMAIL PROTECTED]>
> CC: [EMAIL PROTECTED]
>
> Just as a logistical issue\question as well:
>
> Generally you'll have one NIC as your external interface and your DMZ hanging off
>another. Your external int must have one of your
> public addresses, so how do you assign public addresses from this same subnet to a
>different NIC on your FW?
>
> Ian
>
> -----Original Message-----
> From: Frank Darden [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, November 12, 2000 7:54 AM
> To: 'CryptoTech'; Brian Burns
> Cc: [EMAIL PROTECTED]
> Subject: RE: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses
> Importance: High
>
> Speed, and capability as well. You need to know (or at least have a rough idea)
>how many concurrrent connections
> will be going through the firewall. NAT can seriously drain the 25,000 default
>connections because it requires 2x
> the connections running through the firewall. This ordinarily does not present
>a problem on smaller sites, however if
> you anticipate your site will be hugely popular (dont we all) such as a large
>ecommerce site, you might want to
> consider not natting to the DMZ. There are ways to go beyond 25,000
>connections, that are documented at Phoneboy.
> But then you start having preformance issues as indicated by CryptoTech. I
>suppose there are some advantages to
> natting the DMZ such as flexibility in addressing, and limiting the ability for
>you or others to to shoot yourself in the
> foot, and the #1 reason lack of valid address space. Many times the situation
>is one that you have little or no choice to
> NAT the DMZ. However if you do have the choice, and practice reasonably good
>management of the firewall and DMZ,
> I see no reason to NAT the DMZ. Bear in mind if you do not NAT the DMZ your
>antispoofing rules become more
> critical than ever before.
>
>
> Frank
>
>
> -----Original Message-----
> From: CryptoTech [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, November 11, 2000 9:20 AM
> To: Brian Burns
> Cc: [EMAIL PROTECTED]
> Subject: Re: [FW1] Opinon Requested - to NAT or not to NAT DMZ Addresses
>
> Speed. Firewall load. Latency. NAT modifies every packet involved in
>the rule, and thus add
> latency. If you are running 100mb or higher, you probably don't want to
>use nat
>
> HTH,
> CryptoTech
>
> Brian Burns wrote:
>
> I am doing a redesign of our existing network and have been asked to use
>private addressing with
> NAT. I am not pro/against it - but I have always used valid addresses on
>my DMZ servers. So... why
> would one want to use NAT on your DMZ devices? Comments? Brian
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
