Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
5
Helpful
1
Replies

NAT Internal to DMZ, DMZ to Internal

ajenks
Level 1
Level 1

‎09-10-2008 04:32 AM - edited ‎03-11-2019 06:42 AM

I'm not after the command to do this.

My question is, I would obviously NAT addresses going through the external interface. However, what are the reasons for/against NATing addresses between the DMZ and Internal network ?

If you had :

DMZ 192.168.1.0 / 24

INTERNAL 192.168.100.0 / 24

Would you NAT an address on the DMZ to the INTERNAL for clients to access it ? If you didn't, how would traffic route - would you rely on the PIX/ASA being the default gateway, or advertise the DMZ subnet via OSPF/EIGRP ?

Would the same be true if the access was from DMZ to INTERNAL, (rather than INTERNAL to DMZ).

I'm talking about what is best practice (security and manageability), rather than just "making it work".

Any help would be appreciated - I've seen this done in a number of ways.

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎09-10-2008 05:06 AM

The rule i generally use is if the DMZ is using private addressing that is part of your internal network private addressing then i would advertise this subnet into the routing tables.

If the DMZ is using public addressing i would present this as a private address to the inside clients. This way your internal routing tables are kept "clean".

How these routes are propagated internally ?- either run a routing protocol on the firewall altho i'm not that keen on doing that if i can avoid it or use a static route on the nearest internal L3 device and redistribute this into your routing protocol.

All of the above is assuming a relatively large internal network with multiple L3 devices/subnets etc.

From a security perspective there is a good argument for not using the default-route but advertising the specific subnets as above. Any packets that manage to get past your firewall from outside to inside will then have an automatic way back out of your network with a default route. If you don't use a default route your internal L3 devices would not know where to route the return packet and it would get dropped - an additional security feature.

Having said all that i don't think there is a hard and fast rule for this - a lot of it is up to your preference.

Jon

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card