Educause Security Discussion mailing list archives
Re: NAT for Outside servers
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Thu, 26 Jan 2006 10:47:29 -0500
Flagg, Martin D. wrote:
We are in the process of a major IP re-address, I was wondering is anyone running NAT for Servers? Yes or no could you offer suggestions/problems?
If you mean public servers behind NAT, yes. But 1-to-1 translations for servers.
WWW servers? Yes Mail Front Ends? Yes Barracuda? Could be, but currently pass-through public IP.
Depending on what is doing NAT, you might have connection count issues and swamp the device (e.g., low-end PIX) but otherwise not much of an issue. You will leak "some" inside addressing information through mail headers, especially if you have intermediate mail handlers accepting/forwarding incoming MX and outgoing SMTP messages. The Received: headers will show internal addresses unless you care, and configure around it. The biggest advantage is if you have several servers with the same access requirements, e.g., web servers, mail servers, etc, spread across campus on disparate subnets, you can do static NAT from the internal addresses into a common external subnet or block, and handle access control to the collective external subnet. This saves from having those long, specifically enumerated provisions for each little server here and there. Jeff
Current thread:
- NAT for Outside servers Flagg, Martin D. (Jan 26)
- <Possible follow-ups>
- Re: NAT for Outside servers Jeff Kell (Jan 26)
- Re: NAT for Outside servers Flagg, Martin D. (Jan 26)