static NAT device across DMZs

Unanswered Question
Feb 2nd, 2009

I have a new DMZ that we created for a CSS to act as a DNS server.

The CSS will need to access several other DMZs for the services to check different servers.

All of the existing DMZs are of a higher security level than that of the new DMZ.

My question is regarding the NATing across the DMZs.

Is there a rule of thumb regarding security levels when creating the NATs?

For example, it would be more efficient for me to NAT the new DMZ CSS to the other DMZs, because the other DMZs have more than one server the CSS has to poll:

New_DMZ device =

192.168.8.2

interface security level = 5

DMZ1

192.168.9.5 (server1)

192.168.9.10 (server2)

interface 192.168.9.1

security level = 10

DMZ2

192.168.10.5 (server1)

192.168.10.10 (server2)

interface 192.168.10.1

security level = 11

Does it matter that I NAT the new DMZ device to the other two DMZs, rather than the other way around?

For example:

static (New_DMZ,Dmz1) 192.168.8.2 192.168.8.2 netmask 255.255.255.255

static (New_DMZ,Dmz2) 192.168.8.2 192.168.8.2 netmask 255.255.255.255

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
celiocarreto Tue, 02/03/2009 - 00:33

Hi,

to communicate between DMZs you don't need any NAT. If you apply a adequate ACL they can communicate with each other.

Regards, Celio

Actions

This Discussion