Q

Using NAT rules to map to DMZ

In an answer to a previous question dated November 13, you said, "The DMZ segment of your network must use public IP addressing..."

This means that you have at least two registered real world address ranges -- one for the external interface of the firewall and one for the DMZ.

A more efficient use of address space is to use the registered external interface of the firewall and have inbound NAT rules to map to another private address space for the DMZ. You can then have as many hosts in your DMZ as you like.

Are there any implications or vulnerabilities that I may not have considered?

There are no vulnerabilities that I know of regarding using NAT that way. As long as your inbound NAT rules can handle all the mappings, there shouldn't be a problem. I stated public addressing simply because many people want to put a Web server in their DMZ, and that is more easily done using a public address. That way, DNS and routing aren't a real issue. If you are capable of setting up the appropriate NAT mappings that will still allow the proper DNS lookups and routing to work, then by all means do so. Sorry for any confusion that my answer may have caused.

This was first published in November 2001

Dig deeper on DMZ Setup and Configuration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close