Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

public or private addressing on DMZ?

Green field design and have option of public or private IP's, both seem to have merits.

PRIVATE:

-can easily change ISP's in future without changing IP's on servers which can be a hassle at times

-thru PAT, many more addresses available assuming ISP gives limited public.

PUBLIC:

-no conflicts with other IP's for VPN or branches

-less NAT config headaches.

Thoughts?

1 REPLY
Hall of Fame Super Blue

Re: public or private addressing on DMZ?

Hi

As you say both have merits and it really does depend to a large extent on how many servers on DMZ, how many Public IP's.

Unless you have provider independent Public IP addressing all other things being equal i would go for NAT unless you have any applications that you know will not work with NAT.

I don't think NAT should be viewed as a security function but rather it gives you more flexibility in how you deploy devices. I don't think conflicts with other branches should be an issue because if worse comes to worse you can NAT before IPSEC.

NAT can be a pain to configure in some cases but as you say nowhere near as big a pain as readdressing all your DMZ servers.

Jon

121
Views
3
Helpful
1
Replies
CreatePlease to create content