> -----Original Message-----
> From: [EMAIL PROTECTED]
> Ronneil,
>
> #Since I have never tried setting up DMZ, I have a question:
> This DMZ side
> of
> #the firewall should contain ip network/subnet accessible
> outside. What I
> #mean here is, I shouldn't use RFC1918 on the DMZ side, it
> should be public
> #IP addresses. Am I right?
>
> You can use RFC1918 addresses as long as you still do NAT. For
> external to DMZ connections you will want to do IP address
> redirection in
> your proxy. You may need multiple Internet routable IP
> addresses assigned
> to the external NIC of the firewall depending on what kind of
> and how many
> servers you have on the DMZ.
>
> Examples:
>
> 1. If you have two web servers on the DMZ then you would
> need two routable
> IP addresses on your firewall's external NIC so you can map
> all traffic for
> port 80 and port 443 on one IP address to one web server and
> all port 80
> and port 443 traffic on the other IP address to the other web server.
>
> 2. If you have a web server and an ftp server then you only need one
> Internet routable IP address because you can map ports 20 and
> 21 to the ftp
> server on the dmz and ports 80 and 443 to the web server.
3. If you have two web servers on the DMZ you can (on some firewalls,
my NetScreen 100 can do it) do loadbalancing by assigning multiple
servers to one routable IP.
>
> It is easier to just have Internet routable IP addresses on
> the DMZ if you
> have servers of the same type and have extra IP addresses
> laying around.
It is more clear and easyer to debug in this way.
Vincent de Lau
System Administrator / MSCE
Tridion (http://www.tridion.com)
mailto:[EMAIL PROTECTED]
