Re: NAT for Outside servers

["Flagg, Martin D." <FlaggMD () HIRAM EDU>]

Thanks for information, currently we are running a PIX520 but are going
to be migrating to a FWSM.  At the same time, we are going to be loosing
our DMZ address space do to an Internet provider change.  I was hoping
to use NAT so that DMZ servers would not have to be all readdressed at
once.   From what you say this should work fine. 


Martin D. Flagg 
Network Engineer/Administrator 
Hiram College 

When you want nothing you are seldom lacking.  



-----Original Message-----
From: Jeff Kell [mailto:jeff-kell () UTC EDU] 
Sent: Thursday, January 26, 2006 10:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] NAT for Outside servers

Flagg, Martin D. wrote:
>  We are in the process of a major IP re-address, I was wondering is 
> anyone running NAT for Servers?  Yes or no could you offer 
> suggestions/problems?

If you mean public servers behind NAT, yes.  But 1-to-1 translations for
servers.

> WWW servers?  Yes
> Mail Front Ends?  Yes
> Barracuda?  Could be, but currently pass-through public IP.

Depending on what is doing NAT, you might have connection count issues
and swamp the device (e.g., low-end PIX) but otherwise not much of an
issue.

You will leak "some" inside addressing information through mail headers,
especially if you have intermediate mail handlers accepting/forwarding
incoming MX and outgoing SMTP messages.  The Received: headers will show
internal addresses unless you care, and configure around it.

The biggest advantage is if you have several servers with the same
access requirements, e.g., web servers, mail servers, etc, spread across
campus on disparate subnets, you can do static NAT from the internal
addresses into a common external subnet or block, and handle access
control to the collective external subnet.  This saves from having those
long, specifically enumerated provisions for each little server here and
there.

Jeff