Aaron, If you need some clarification to NAT's effect to security you should also tell as the firewall type. Packet filter firewalls have sometimes problems with spoofing when you are using NAT.
However it is usually good idea to put publicly accessable servers to DMZ and use real-ip's: pros 1. Configuration is simplified -> added security 2. Performance is higher 3. No problems with protocols which don't work with NAT or require Application Level gateway. cons 1. Configuration changes are more difficult (example: you can't just change the rule in firewall for redirecting traffic to mail-server, also dependant on firewall) 2. Need to have public ip's in DMZ (well, you never have enough public ip's nowadays) rgds, Harri > -----Original Message----- > From: ext Aaron Jongbloedt [mailto:[EMAIL PROTECTED]] > Sent: 14 December, 2001 23:48 > To: Valerie Anne Bubb; [EMAIL PROTECTED] > Subject: Re: NAT w/ one to one mapping > > > here ya go...this should explain "mo better" what i am trying > to say.... > > > current: > > web.server<------| > real ip#1 | > |------->firebox/firewall > mail.server<------| > real ip#2 > > > > proposed: > > web.server<------| > private ip#1 | > |------->firebox/firewall > mail.server<------| real ip#1,2 > private ip#2 > > ----- Original Message ----- > From: "Valerie Anne Bubb" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Friday, December 14, 2001 1:29 PM > Subject: Re: NAT w/ one to one mapping > > > > > > >Delivered-To: [EMAIL PROTECTED] > > >From: "Aaron Jongbloedt" <[EMAIL PROTECTED]> > > > > > >what pros/cons would you have if you had one<-->one nat > mapping for your > > >servers ie: > > > > > >web.server 192.168.1.5<-->216.191.221.51 > > >mail.server 192.168.1.6<-->216.191.221.60 > > > > > >so the firewall is doing NAT with one to one > mapping...there for your > > >servers are useable over the net, but they have private > ip's because the > > >firewall has the real ip addy and is forwarding the > requests. so my > > >question is what would be the difference of just letting > the servers have > a > > >real addres but yet behind a fire wall. > > > > Without seeing a network diagram, I'm going to assume that your > > firewall's public IP is something like 216.191.221.x. Also > assuming that > > your firewall is a routing type, and not bridging. So, by > putting your > > servers behind the firewall, you gain the protection of the > firewall. > > > > You could also protect them with a host-based firewall, or > > a bridging firewall and let them keep their real IPs. > > > > > > Assuming you'll still want to access these from internal clients, > > if you've got your servers on the same private network, the internal > > clients will be able to directly access the servers w/out going > > through the firewall. > > > > Personally, I would put the servers off of a third interface > > and set up a DMZ. So they are still protected by your firewall, > > and your internal network still has a layer of defense in case > > those servers are compromised. > > > > >part two: i am already running NAT, can i also do this > one<-->one mapping > as > > >well? > > > > That depends on what firewall you are using. It should only be a > > matter of reconstructing your NAT rules to be more specific. > > > > > > > >part three: on the machins that are being NATted (private > ip's) what is > the > > >real address that is being spoofed? Or should i say, if i go to a > website > > >using a private ip machine, what address does the website > think it is > > >talking to? > > > > The public IP, though getting the private IP is not too difficult. > > > > > > hth > > > > Valerie > > > > -- > > Now appearing as Beth Beam in: "Dilemma at the Toll Road Inn" and > > the Gaslighter Theater's Nearly World Famous Vaudeville Revue! > > http://www.gaslighter.com/ Now - New Year's Eve. Tix: 408.866.1408 > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
