As far
as I know, you must break the subnet down to into two smaller subnets to get
that to work....
Just
as a logistical issue\question as well:
Generally you'll have one NIC as your external
interface and your DMZ hanging off another. Your external int must have one of
your public addresses, so how do you assign public addresses from this same
subnet to a different NIC on your FW?
Ian
Speed, and capability as well. You need to know (or at least have a
rough idea) how many concurrrent connections will be going through the
firewall. NAT can seriously drain the 25,000 default connections
because it requires 2x the connections running through the firewall.
This ordinarily does not present a problem on smaller sites, however if you
anticipate your site will be hugely popular (dont we all) such as a large
ecommerce site, you might want to consider not natting to the DMZ. There are
ways to go beyond 25,000 connections, that are documented at Phoneboy. But
then you start having preformance issues as indicated by CryptoTech. I
suppose there are some advantages to natting the DMZ such as flexibility in
addressing, and limiting the ability for you or others to to shoot yourself
in the foot, and the #1 reason lack of valid address space. Many times the
situation is one that you have little or no choice to NAT the DMZ. However
if you do have the choice, and practice reasonably good management of the
firewall and DMZ, I see no reason to NAT the DMZ. Bear in mind if you
do not NAT the DMZ your antispoofing rules become more critical than ever
before.
Frank
Speed. Firewall load.
Latency. NAT modifies every packet involved in the rule, and thus
add latency. If you are running 100mb or higher, you probably don't
want to use nat
HTH, CryptoTech
Brian Burns wrote:
I am doing a redesign of our existing
network and have been asked to use private addressing with NAT. I am not
pro/against it - but I have always used valid addresses on my DMZ
servers. So... why
would one want to use NAT on your DMZ devices? Comments? Brian
|