[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    Re: [Sidewinder] NAT vs Redirect
From:       Barry_X_Bisogni () consecofinance ! com
Date:       2001-12-11 15:18:17
[Download RAW message or body]

Jeff wrote:  "...why I would recommend putting Internet routable IP
addresses in the DMZ and not bothering with a redirect acl.  Your log files
on your web server will become virtually worthless as all traffic will
appear to come from the firewall in your web server logs. "

This is an excellent method.  However some facilities are severely limited
to the number of external IPs available and subnetting them could become
quite a headache.  If you keep the routable IPs on the outside burb of the
Sidewinder and use a redirect with NAT turned off, the initial connection
is still made to the outside of the firewall, while the original source IP
is passed to the webserver to permit logging.  This is one of the reasons
that NAT was changed from proxy-based to acl-based in 5.0, that and it is
really inconvenient to turn NAT off for all traffic moving through a
particular proxy.

Regards,
Barry Bisogni
Network Security
Conseco Finance


[prev in list] [next in list] [prev in thread] [next in thread]