Educause Security Discussion mailing list archives
Re: NAT for Outside servers
From: "Flagg, Martin D." <FlaggMD () HIRAM EDU>
Date: Thu, 26 Jan 2006 11:04:29 -0500
Thanks for information, currently we are running a PIX520 but are going to be migrating to a FWSM. At the same time, we are going to be loosing our DMZ address space do to an Internet provider change. I was hoping to use NAT so that DMZ servers would not have to be all readdressed at once. From what you say this should work fine. Martin D. Flagg Network Engineer/Administrator Hiram College When you want nothing you are seldom lacking. -----Original Message----- From: Jeff Kell [mailto:jeff-kell () UTC EDU] Sent: Thursday, January 26, 2006 10:47 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] NAT for Outside servers Flagg, Martin D. wrote:
We are in the process of a major IP re-address, I was wondering is anyone running NAT for Servers? Yes or no could you offer suggestions/problems?
If you mean public servers behind NAT, yes. But 1-to-1 translations for servers.
WWW servers? Yes Mail Front Ends? Yes Barracuda? Could be, but currently pass-through public IP.
Depending on what is doing NAT, you might have connection count issues and swamp the device (e.g., low-end PIX) but otherwise not much of an issue. You will leak "some" inside addressing information through mail headers, especially if you have intermediate mail handlers accepting/forwarding incoming MX and outgoing SMTP messages. The Received: headers will show internal addresses unless you care, and configure around it. The biggest advantage is if you have several servers with the same access requirements, e.g., web servers, mail servers, etc, spread across campus on disparate subnets, you can do static NAT from the internal addresses into a common external subnet or block, and handle access control to the collective external subnet. This saves from having those long, specifically enumerated provisions for each little server here and there. Jeff
Current thread:
- NAT for Outside servers Flagg, Martin D. (Jan 26)
- <Possible follow-ups>
- Re: NAT for Outside servers Jeff Kell (Jan 26)
- Re: NAT for Outside servers Flagg, Martin D. (Jan 26)