Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ Design - DMZ <-> Internal NAT

Hi All,

I would like to get you opinion on whether the following really adds any additional security.

We have a public facing firewall and an internal network. I am creating a DMZ to host some public facing webservers. Im going to NAT the public IP addresses to the Private DMZ addresses. My question is whether you think its a good idea to also NAT the DMZ (Private) addresses to a different (private) address on our internal network. The idea being the real addresses of the DMZ servers would not be routable on our internal network and internal clients could only connect to the Internal NAT address of the DMZ servers. As far i understand it this adds a layer of complexity but not necessarily security. Euther way i would be filtering traffic in both directions for DMZ <-> Internal. (and of course Outside <-> DMZ).

What would you do?

Appreciate your help

Andy

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: DMZ Design - DMZ <-> Internal NAT

Andy

Not sure what you get by doing this. Even if the real private addresses of the DMZ servers were not routable the Natted addresses would need to be for internal users to access DMZ servers if indeed they need to. And if they don't need to then just don't advertise the route into your internal network.

I agree with you in that i cannot see any added security benefit with added complexity. I wouldn't do it myself.

Jon

Gold

Re: DMZ Design - DMZ <-> Internal NAT

I agree as well. There's no reason to add that complexity.

Security through obscurity is not really effective in the long run.

The only reason to do this would be with addressing (or routing) concerns.

3 REPLIES
Hall of Fame Super Blue

Re: DMZ Design - DMZ <-> Internal NAT

Andy

Not sure what you get by doing this. Even if the real private addresses of the DMZ servers were not routable the Natted addresses would need to be for internal users to access DMZ servers if indeed they need to. And if they don't need to then just don't advertise the route into your internal network.

I agree with you in that i cannot see any added security benefit with added complexity. I wouldn't do it myself.

Jon

Gold

Re: DMZ Design - DMZ <-> Internal NAT

I agree as well. There's no reason to add that complexity.

Security through obscurity is not really effective in the long run.

The only reason to do this would be with addressing (or routing) concerns.

New Member

Re: DMZ Design - DMZ <-> Internal NAT

Thanks for both your replies.

I was concerned that this config would actually become a bit too complex and therefore introduce an element of human error.

Cheers

Andy

173
Views
0
Helpful
3
Replies