>Delivered-To: [EMAIL PROTECTED] >From: "Aaron Jongbloedt" <[EMAIL PROTECTED]> > >what pros/cons would you have if you had one<-->one nat mapping for your >servers ie: > >web.server 192.168.1.5<-->216.191.221.51 >mail.server 192.168.1.6<-->216.191.221.60 > >so the firewall is doing NAT with one to one mapping...there for your >servers are useable over the net, but they have private ip's because the >firewall has the real ip addy and is forwarding the requests. so my >question is what would be the difference of just letting the servers have a >real addres but yet behind a fire wall.
Without seeing a network diagram, I'm going to assume that your firewall's public IP is something like 216.191.221.x. Also assuming that your firewall is a routing type, and not bridging. So, by putting your servers behind the firewall, you gain the protection of the firewall. You could also protect them with a host-based firewall, or a bridging firewall and let them keep their real IPs. Assuming you'll still want to access these from internal clients, if you've got your servers on the same private network, the internal clients will be able to directly access the servers w/out going through the firewall. Personally, I would put the servers off of a third interface and set up a DMZ. So they are still protected by your firewall, and your internal network still has a layer of defense in case those servers are compromised. >part two: i am already running NAT, can i also do this one<-->one mapping as >well? That depends on what firewall you are using. It should only be a matter of reconstructing your NAT rules to be more specific. > >part three: on the machins that are being NATted (private ip's) what is the >real address that is being spoofed? Or should i say, if i go to a website >using a private ip machine, what address does the website think it is >talking to? The public IP, though getting the private IP is not too difficult. hth Valerie -- Now appearing as Beth Beam in: "Dilemma at the Toll Road Inn" and the Gaslighter Theater's Nearly World Famous Vaudeville Revue! http://www.gaslighter.com/ Now - New Year's Eve. Tix: 408.866.1408 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
