Re: NAT for Outside servers

[Jeff Kell <jeff-kell () UTC EDU>]

Flagg, Martin D. wrote:
>  We are in the process of a major IP re-address, I was wondering is
> anyone running NAT for Servers?  Yes or no could you offer
> suggestions/problems?

If you mean public servers behind NAT, yes.  But 1-to-1 translations for servers.

> WWW servers?  Yes
> Mail Front Ends?  Yes
> Barracuda?  Could be, but currently pass-through public IP.

Depending on what is doing NAT, you might have connection count issues and swamp the device (e.g., low-end PIX) but 
otherwise not much of an issue.

You will leak "some" inside addressing information through mail headers, especially if you have intermediate mail 
handlers accepting/forwarding incoming MX and outgoing SMTP messages.  The Received: headers will show internal 
addresses unless you care, and configure around it.

The biggest advantage is if you have several servers with the same access requirements, e.g., web servers, mail 
servers, etc, spread across campus on disparate subnets, you can do static NAT from the internal addresses into a 
common external subnet or block, and handle access control to the collective external subnet.  This saves from having 
those long, specifically enumerated provisions for each little server here and there.

Jeff