Solved

public IPs on NICs versus natting to private IPs on NICs

Posted on 2013-01-24
5
354 Views
Last Modified: 2013-01-29
Hi there,
I am new to Experts Exchange and am in the trial bit. I will be paying the fee when it comes time because so far there are lots of cool answers I have been getting, and really quick too.  Thanks heaps for so far.

This question is just a background question for my own understanding.
I am in a bigger network than I have worked in before and am interested in why you would have a public IP on a nic and letting traffic in on a firewall through certain ports directly to the NIC,  versus just natting on the firewall through ports that are open to a private range IP on a NIC.

The times I have seen a NIC configured with a public IP are on servers in the DMZ.
We still have rules on the DMZ firewall that only allow certain traffic to the public IP NICs on the servers with them.
Why does it seem that it is okay for the internet to know the ip of a NIC in the DMZ versus natting to the internal domain to a private IP?
Wouldn't it be better to NAT to a Private IP NIC on a server in the DMZ as well for the same reasons? IE the internet knows less about your configuration meaning you are more secure?

This is just for my own understanding of when to put a public IP on a NIC versus when to put a private IP.
For what it is worth we have plenty of spare public IPs.

Thanks,
Shaun
0
Comment
Question by:shaunwoy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38817908
first lets understand public and private IP.

Public IPs are those IP known to outside world. There is well defined pool of public IPs and every organization or ISP has to buy & sell IPs from that pool.

when you want to go on internet you have to use any public IP to reach internet.
 
Private IPs are private to any particular organization with it they can comunicate within the organization.

Since you have to pay some money to use/buy public IP form your ISP provider and if you have lot of user to use internet and in this case you have to spend lot of money in buying public IP for each user thus we do NATING.

NATing means mapping of private IP address to public IP address.

Thats why you see abov set-up in your network.
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 500 total points
ID: 38818506
The difference between putting a public IP on the NIC(and thus in the DMZ) vs doing the NAT translation is by putting on the NIC you are bypassing NAT - this is sometimes required depending on what the server/machine that has the public IP is running - i.e. some technologies don't like NAT(VOIP for example) and thus they operate better in the DMZ

So if there's a requirement to bypass NAT this is why its usually done like this(or one of the reasons)
0
 

Author Comment

by:shaunwoy
ID: 38823064
That's a nice explanation. Thanks.  
Are you saying then it would be best practice to NAT unless there is a specific requirement?  Does a server in the DMZ would always have one of their NICs with a public IP or are they NATed out of the DMZ as well as an extra layer if a technology doesn't require a public IP. For example a webserver?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38830404
Thanks for the points, to answer you last bit(sorry for the delay), the DMZ is normally a seperate 'zone' on your firewall/router...so in effect its like another LAN behind your router

That is you have you LAN which is the client machines and server
You have a DMZ which holds web servers(or public facing servers, i.e. need to be accessed by the outside public)
You have the WAN which is your router/firewall public IP

So in a lot of the business class routers/firewalls there can be additional 'security' features that you need to enable where servers in the DMZ are limited in what they can see on the LAN side etc...you've probably seen a few posts on the web about DMZ but here's a simple enough explanation that may assist...

http://community.spiceworks.com/topic/139801-dmz-vs-nat
0
 

Author Comment

by:shaunwoy
ID: 38832684
Thanks for that smckeown777, that is really cool.  The link did help too.
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall routing between VPNs 5 71
Resource timeout across a VPN 9 70
New CLI Commands Needed for Cisco ASA 5506 5 64
best firewall for packet filtering 5 66
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question