Problem solve Get help with specific problems with your technologies, process and projects.

Using NAT rules to map to DMZ

In an answer to a previous question dated November 13, you said, "The DMZ segment of your network must use public IP addressing..."

This means that you have at least two registered real world address ranges -- one for the external interface of the firewall and one for the DMZ.

A more efficient use of address space is to use the registered external interface of the firewall and have inbound NAT rules to map to another private address space for the DMZ. You can then have as many hosts in your DMZ as you like.

Are there any implications or vulnerabilities that I may not have considered?

There are no vulnerabilities that I know of regarding using NAT that way. As long as your inbound NAT rules can handle all the mappings, there shouldn't be a problem. I stated public addressing simply because many people want to put a Web server in their DMZ, and that is more easily done using a public address. That way, DNS and routing aren't a real issue. If you are capable of setting up the appropriate NAT mappings that will still allow the proper DNS lookups and routing to work, then by all means do so. Sorry for any confusion that my answer may have caused.

This was last published in November 2001

Dig Deeper on Enterprise network security