Oscar -
I'm from the crowd of "NAT is not a security solution, but
a very convenient firewall/router feature", so I don't think
you would need to use it for additional security. It can
be useful for topology hiding, but in the case of your
DMZ, there doesn't seem to be much to hide (and there have
been numerous discussions before on how to get a host's
true IP address, anyways).
Since these systems already have public IPs, and it
doesn't sound like you're planning on renumbering them
with private addresses there isn't really a reason
to use NAT for these hosts.
Valerie
> Delivered-To: [EMAIL PROTECTED]
> Date: Tue, 25 Jul 2000 20:16:24 -0500
> From: Oscar Rau <[EMAIL PROTECTED]>
>
> We are implementing a DMZ which will be using public IP addresses. The
> DMZ systems interfacing the PIX interface will have a public IP
> addresses and not a private IP addresses. In this case, can GLOBAL/NAT
> statements be still used to add any valuable security to the DMZ
> systems? Is there any point in using NAT, because we do not have private
> IP addresses to the DMZ systems?
>
> Any thoughts/ideas for this solution appreciated.
>
> Thank you in advance.
>
> Oscar Rau
> [EMAIL PROTECTED]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
