?
Solved

public IPs on NICs versus natting to private IPs on NICs

Posted on 2013-01-24
5
Medium Priority
?
356 Views
Last Modified: 2013-01-29
Hi there,
I am new to Experts Exchange and am in the trial bit. I will be paying the fee when it comes time because so far there are lots of cool answers I have been getting, and really quick too.  Thanks heaps for so far.

This question is just a background question for my own understanding.
I am in a bigger network than I have worked in before and am interested in why you would have a public IP on a nic and letting traffic in on a firewall through certain ports directly to the NIC,  versus just natting on the firewall through ports that are open to a private range IP on a NIC.

The times I have seen a NIC configured with a public IP are on servers in the DMZ.
We still have rules on the DMZ firewall that only allow certain traffic to the public IP NICs on the servers with them.
Why does it seem that it is okay for the internet to know the ip of a NIC in the DMZ versus natting to the internal domain to a private IP?
Wouldn't it be better to NAT to a Private IP NIC on a server in the DMZ as well for the same reasons? IE the internet knows less about your configuration meaning you are more secure?

This is just for my own understanding of when to put a public IP on a NIC versus when to put a private IP.
For what it is worth we have plenty of spare public IPs.

Thanks,
Shaun
0
Comment
Question by:shaunwoy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38817908
first lets understand public and private IP.

Public IPs are those IP known to outside world. There is well defined pool of public IPs and every organization or ISP has to buy & sell IPs from that pool.

when you want to go on internet you have to use any public IP to reach internet.
 
Private IPs are private to any particular organization with it they can comunicate within the organization.

Since you have to pay some money to use/buy public IP form your ISP provider and if you have lot of user to use internet and in this case you have to spend lot of money in buying public IP for each user thus we do NATING.

NATing means mapping of private IP address to public IP address.

Thats why you see abov set-up in your network.
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 1500 total points
ID: 38818506
The difference between putting a public IP on the NIC(and thus in the DMZ) vs doing the NAT translation is by putting on the NIC you are bypassing NAT - this is sometimes required depending on what the server/machine that has the public IP is running - i.e. some technologies don't like NAT(VOIP for example) and thus they operate better in the DMZ

So if there's a requirement to bypass NAT this is why its usually done like this(or one of the reasons)
0
 

Author Comment

by:shaunwoy
ID: 38823064
That's a nice explanation. Thanks.  
Are you saying then it would be best practice to NAT unless there is a specific requirement?  Does a server in the DMZ would always have one of their NICs with a public IP or are they NATed out of the DMZ as well as an extra layer if a technology doesn't require a public IP. For example a webserver?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 38830404
Thanks for the points, to answer you last bit(sorry for the delay), the DMZ is normally a seperate 'zone' on your firewall/router...so in effect its like another LAN behind your router

That is you have you LAN which is the client machines and server
You have a DMZ which holds web servers(or public facing servers, i.e. need to be accessed by the outside public)
You have the WAN which is your router/firewall public IP

So in a lot of the business class routers/firewalls there can be additional 'security' features that you need to enable where servers in the DMZ are limited in what they can see on the LAN side etc...you've probably seen a few posts on the web about DMZ but here's a simple enough explanation that may assist...

http://community.spiceworks.com/topic/139801-dmz-vs-nat
0
 

Author Comment

by:shaunwoy
ID: 38832684
Thanks for that smckeown777, that is really cool.  The link did help too.
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question