I have a new DMZ that we created for a CSS to act as a DNS server.
The CSS will need to access several other DMZs for the services to check different servers.
All of the existing DMZs are of a higher security level than that of the new DMZ.
My question is regarding the NATing across the DMZs.
Is there a rule of thumb regarding security levels when creating the NATs?
For example, it would be more efficient for me to NAT the new DMZ CSS to the other DMZs, because the other DMZs have more than one server the CSS has to poll:
New_DMZ device =
192.168.8.2
interface security level = 5
DMZ1
192.168.9.5 (server1)
192.168.9.10 (server2)
interface 192.168.9.1
security level = 10
DMZ2
192.168.10.5 (server1)
192.168.10.10 (server2)
interface 192.168.10.1
security level = 11
Does it matter that I NAT the new DMZ device to the other two DMZs, rather than the other way around?
For example:
static (New_DMZ,Dmz1) 192.168.8.2 192.168.8.2 netmask 255.255.255.255
static (New_DMZ,Dmz2) 192.168.8.2 192.168.8.2 netmask 255.255.255.255