View Single Post
  #7   (View Single Post)  
Old 2nd December 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Briefly, the only place I would suggest to use (bidirectional) NAT is on your external, public network. If the router is routing, rather than bridging, your external facing network is only attached to the router, and none of your servers would have an external address -- the mapping to Internet-facing addresses would be done by the router, and only the router.

---

J65nko reminds me that there are at least two "classic" DMZ topologies that might be considered, so I'll briefly describe them:
  • DMZ subnet sits between two firewalls, an "inner" and an "outer."
  • DMZ subnet resides in isolation via a single firewall.
While I personally prefer the dual firewall topology as I believe it offers a better defense in depth, either would provide a better defensive governance than you are currently deploying or considering among your solution-set.
Reply With Quote