My question is, I would obviously NAT addresses going through the external interface. However, what are the reasons for/against NATing addresses between the DMZ and Internal network ?
If you had :
DMZ 192.168.1.0 / 24
INTERNAL 192.168.100.0 / 24
Would you NAT an address on the DMZ to the INTERNAL for clients to access it ? If you didn't, how would traffic route - would you rely on the PIX/ASA being the default gateway, or advertise the DMZ subnet via OSPF/EIGRP ?
Would the same be true if the access was from DMZ to INTERNAL, (rather than INTERNAL to DMZ).
I'm talking about what is best practice (security and manageability), rather than just "making it work".
Any help would be appreciated - I've seen this done in a number of ways.
The rule i generally use is if the DMZ is using private addressing that is part of your internal network private addressing then i would advertise this subnet into the routing tables.
If the DMZ is using public addressing i would present this as a private address to the inside clients. This way your internal routing tables are kept "clean".
How these routes are propagated internally ?- either run a routing protocol on the firewall altho i'm not that keen on doing that if i can avoid it or use a static route on the nearest internal L3 device and redistribute this into your routing protocol.
All of the above is assuming a relatively large internal network with multiple L3 devices/subnets etc.
From a security perspective there is a good argument for not using the default-route but advertising the specific subnets as above. Any packets that manage to get past your firewall from outside to inside will then have an automatic way back out of your network with a default route. If you don't use a default route your internal L3 devices would not know where to route the return packet and it would get dropped - an additional security feature.
Having said all that i don't think there is a hard and fast rule for this - a lot of it is up to your preference.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...