Pardon my jumping in, but isn't it common practice to have a different
network for the DMZ, not in the same address space as the external address
of the firewall? Otherwise internal requests to the public address of a DMZ
system would get "out" on the Internet first and then back in, right?
Example:
We used to have a 10.41.x.x DMZ network, because all internal networks were
also using 10.x networks and the routing from the LAN to the DMZ hosts (for
internal guys doing maintenance or whatever) was easier that way.
For the Internet the FW of course held a "virtual", public address for any
DMZ server and routed all requests for it to the NATted DMZ address.
Did I miss something here?
Best regards
Ralf G.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
