NAT Internal to DMZ, DMZ to Internal

Unanswered Question
Sep 10th, 2008
User Badges:

I'm not after the command to do this.

My question is, I would obviously NAT addresses going through the external interface. However, what are the reasons for/against NATing addresses between the DMZ and Internal network ?

If you had :

DMZ / 24


Would you NAT an address on the DMZ to the INTERNAL for clients to access it ? If you didn't, how would traffic route - would you rely on the PIX/ASA being the default gateway, or advertise the DMZ subnet via OSPF/EIGRP ?

Would the same be true if the access was from DMZ to INTERNAL, (rather than INTERNAL to DMZ).

I'm talking about what is best practice (security and manageability), rather than just "making it work".

Any help would be appreciated - I've seen this done in a number of ways.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Wed, 09/10/2008 - 05:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The rule i generally use is if the DMZ is using private addressing that is part of your internal network private addressing then i would advertise this subnet into the routing tables.

If the DMZ is using public addressing i would present this as a private address to the inside clients. This way your internal routing tables are kept "clean".

How these routes are propagated internally ?- either run a routing protocol on the firewall altho i'm not that keen on doing that if i can avoid it or use a static route on the nearest internal L3 device and redistribute this into your routing protocol.

All of the above is assuming a relatively large internal network with multiple L3 devices/subnets etc.

From a security perspective there is a good argument for not using the default-route but advertising the specific subnets as above. Any packets that manage to get past your firewall from outside to inside will then have an automatic way back out of your network with a default route. If you don't use a default route your internal L3 devices would not know where to route the return packet and it would get dropped - an additional security feature.

Having said all that i don't think there is a hard and fast rule for this - a lot of it is up to your preference.



This Discussion