Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Internal to DMZ, DMZ to Internal

I'm not after the command to do this.

My question is, I would obviously NAT addresses going through the external interface. However, what are the reasons for/against NATing addresses between the DMZ and Internal network ?

If you had :

DMZ / 24


Would you NAT an address on the DMZ to the INTERNAL for clients to access it ? If you didn't, how would traffic route - would you rely on the PIX/ASA being the default gateway, or advertise the DMZ subnet via OSPF/EIGRP ?

Would the same be true if the access was from DMZ to INTERNAL, (rather than INTERNAL to DMZ).

I'm talking about what is best practice (security and manageability), rather than just "making it work".

Any help would be appreciated - I've seen this done in a number of ways.

Hall of Fame Super Blue

Re: NAT Internal to DMZ, DMZ to Internal

The rule i generally use is if the DMZ is using private addressing that is part of your internal network private addressing then i would advertise this subnet into the routing tables.

If the DMZ is using public addressing i would present this as a private address to the inside clients. This way your internal routing tables are kept "clean".

How these routes are propagated internally ?- either run a routing protocol on the firewall altho i'm not that keen on doing that if i can avoid it or use a static route on the nearest internal L3 device and redistribute this into your routing protocol.

All of the above is assuming a relatively large internal network with multiple L3 devices/subnets etc.

From a security perspective there is a good argument for not using the default-route but advertising the specific subnets as above. Any packets that manage to get past your firewall from outside to inside will then have an automatic way back out of your network with a default route. If you don't use a default route your internal L3 devices would not know where to route the return packet and it would get dropped - an additional security feature.

Having said all that i don't think there is a hard and fast rule for this - a lot of it is up to your preference.