> -----Original Message-----
> From: Jim Johnson [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 23 February 2001 11:08
> To: [EMAIL PROTECTED]
> Subject: RE: To NAT or not to NAT in the DMZ, that is the question.
>
>
> >-----Original Message-----
> >From: Ben Nagy [mailto:[EMAIL PROTECTED]]
> >Sent: Tuesday, February 20, 2001 4:45 PM
> >To: 'Jim Johnson'; [EMAIL PROTECTED]
> >Subject: RE: To NAT or not to NAT in the DMZ, that is the question.
> >
> >
> >If you're using a PIX, then I'd do it the PIX way - NAT.
[...]
> >BTW: Standard PIX philosophy would see your DMZ hosts being
> advertised on
> >the trusted LAN as static NAT translations - ie in the
> trusted IP range.
>
> After thinking about this a couple days I've managed to
> confuse myself
> again.
Thinking for two days in a row is liable to confuse _anyone_.
> Do I understand correctly that it is best (PIX)
> practice to use
> private addresses in your DMZ, and then statically nat them
> to both the
> Internet AND your internal network. (My internal network
> already uses
> private addresses and is nated to the Internet.)
Yes.
> Ben pointed out earlier that there are (or were at least)
> problems with the
> PIX nat0 command.
I think "potential for unexpected side effects" is a better way of putting
it.
> Assuming that there is no problem turning
> off nat for the
> DMZ interface I'm leaning towards my original gut feeling of
> using valid
> public IP's in my DMZ. I wouldn't nat to or from the DMZ to
> either the
> Internet or my internal network. It just seems simpler to
> not nat if you
> don't have to.
Your call. As I said before, the "standard" PIX way to do this would see you
NAT. I don't see any reason why your way would not work. NAT gives you a
minor security win at the cost of some protocols breaking. I don't think the
simplicity argument works at all. Your config will be harder to read if you
don't use NAT.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
