Ask the Expert

Using NAT rules to map to DMZ

In an answer to a previous question dated November 13, you said, "The DMZ segment of your network must use public IP addressing..."

This means that you have at least two registered real world address ranges -- one for the external interface of the firewall and one for the DMZ.

A more efficient use of address space is to use the registered external interface of the firewall and have inbound NAT rules to map to another private address space for the DMZ. You can then have as many hosts in your DMZ as you like.

Are there any implications or vulnerabilities that I may not have considered?

    Requires Free Membership to View

There are no vulnerabilities that I know of regarding using NAT that way. As long as your inbound NAT rules can handle all the mappings, there shouldn't be a problem. I stated public addressing simply because many people want to put a Web server in their DMZ, and that is more easily done using a public address. That way, DNS and routing aren't a real issue. If you are capable of setting up the appropriate NAT mappings that will still allow the proper DNS lookups and routing to work, then by all means do so. Sorry for any confusion that my answer may have caused.

This was first published in November 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: