Solved

public IPs on NICs versus natting to private IPs on NICs

Posted on 2013-01-24
5
349 Views
Last Modified: 2013-01-29
Hi there,
I am new to Experts Exchange and am in the trial bit. I will be paying the fee when it comes time because so far there are lots of cool answers I have been getting, and really quick too.  Thanks heaps for so far.

This question is just a background question for my own understanding.
I am in a bigger network than I have worked in before and am interested in why you would have a public IP on a nic and letting traffic in on a firewall through certain ports directly to the NIC,  versus just natting on the firewall through ports that are open to a private range IP on a NIC.

The times I have seen a NIC configured with a public IP are on servers in the DMZ.
We still have rules on the DMZ firewall that only allow certain traffic to the public IP NICs on the servers with them.
Why does it seem that it is okay for the internet to know the ip of a NIC in the DMZ versus natting to the internal domain to a private IP?
Wouldn't it be better to NAT to a Private IP NIC on a server in the DMZ as well for the same reasons? IE the internet knows less about your configuration meaning you are more secure?

This is just for my own understanding of when to put a public IP on a NIC versus when to put a private IP.
For what it is worth we have plenty of spare public IPs.

Thanks,
Shaun
0
Comment
Question by:shaunwoy
  • 2
  • 2
5 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38817908
first lets understand public and private IP.

Public IPs are those IP known to outside world. There is well defined pool of public IPs and every organization or ISP has to buy & sell IPs from that pool.

when you want to go on internet you have to use any public IP to reach internet.
 
Private IPs are private to any particular organization with it they can comunicate within the organization.

Since you have to pay some money to use/buy public IP form your ISP provider and if you have lot of user to use internet and in this case you have to spend lot of money in buying public IP for each user thus we do NATING.

NATing means mapping of private IP address to public IP address.

Thats why you see abov set-up in your network.
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 500 total points
ID: 38818506
The difference between putting a public IP on the NIC(and thus in the DMZ) vs doing the NAT translation is by putting on the NIC you are bypassing NAT - this is sometimes required depending on what the server/machine that has the public IP is running - i.e. some technologies don't like NAT(VOIP for example) and thus they operate better in the DMZ

So if there's a requirement to bypass NAT this is why its usually done like this(or one of the reasons)
0
 

Author Comment

by:shaunwoy
ID: 38823064
That's a nice explanation. Thanks.  
Are you saying then it would be best practice to NAT unless there is a specific requirement?  Does a server in the DMZ would always have one of their NICs with a public IP or are they NATed out of the DMZ as well as an extra layer if a technology doesn't require a public IP. For example a webserver?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38830404
Thanks for the points, to answer you last bit(sorry for the delay), the DMZ is normally a seperate 'zone' on your firewall/router...so in effect its like another LAN behind your router

That is you have you LAN which is the client machines and server
You have a DMZ which holds web servers(or public facing servers, i.e. need to be accessed by the outside public)
You have the WAN which is your router/firewall public IP

So in a lot of the business class routers/firewalls there can be additional 'security' features that you need to enable where servers in the DMZ are limited in what they can see on the LAN side etc...you've probably seen a few posts on the web about DMZ but here's a simple enough explanation that may assist...

http://community.spiceworks.com/topic/139801-dmz-vs-nat
0
 

Author Comment

by:shaunwoy
ID: 38832684
Thanks for that smckeown777, that is really cool.  The link did help too.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question