public or private addressing on DMZ?

Unanswered Question
Mar 26th, 2008

Green field design and have option of public or private IP's, both seem to have merits.


-can easily change ISP's in future without changing IP's on servers which can be a hassle at times

-thru PAT, many more addresses available assuming ISP gives limited public.


-no conflicts with other IP's for VPN or branches

-less NAT config headaches.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Jon Marshall Wed, 03/26/2008 - 15:18


As you say both have merits and it really does depend to a large extent on how many servers on DMZ, how many Public IP's.

Unless you have provider independent Public IP addressing all other things being equal i would go for NAT unless you have any applications that you know will not work with NAT.

I don't think NAT should be viewed as a security function but rather it gives you more flexibility in how you deploy devices. I don't think conflicts with other branches should be an issue because if worse comes to worse you can NAT before IPSEC.

NAT can be a pain to configure in some cases but as you say nowhere near as big a pain as readdressing all your DMZ servers.



This Discussion