Solved

public IPs on NICs versus natting to private IPs on NICs

Posted on 2013-01-24
5
341 Views
Last Modified: 2013-01-29
Hi there,
I am new to Experts Exchange and am in the trial bit. I will be paying the fee when it comes time because so far there are lots of cool answers I have been getting, and really quick too.  Thanks heaps for so far.

This question is just a background question for my own understanding.
I am in a bigger network than I have worked in before and am interested in why you would have a public IP on a nic and letting traffic in on a firewall through certain ports directly to the NIC,  versus just natting on the firewall through ports that are open to a private range IP on a NIC.

The times I have seen a NIC configured with a public IP are on servers in the DMZ.
We still have rules on the DMZ firewall that only allow certain traffic to the public IP NICs on the servers with them.
Why does it seem that it is okay for the internet to know the ip of a NIC in the DMZ versus natting to the internal domain to a private IP?
Wouldn't it be better to NAT to a Private IP NIC on a server in the DMZ as well for the same reasons? IE the internet knows less about your configuration meaning you are more secure?

This is just for my own understanding of when to put a public IP on a NIC versus when to put a private IP.
For what it is worth we have plenty of spare public IPs.

Thanks,
Shaun
0
Comment
Question by:shaunwoy
  • 2
  • 2
5 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
first lets understand public and private IP.

Public IPs are those IP known to outside world. There is well defined pool of public IPs and every organization or ISP has to buy & sell IPs from that pool.

when you want to go on internet you have to use any public IP to reach internet.
 
Private IPs are private to any particular organization with it they can comunicate within the organization.

Since you have to pay some money to use/buy public IP form your ISP provider and if you have lot of user to use internet and in this case you have to spend lot of money in buying public IP for each user thus we do NATING.

NATing means mapping of private IP address to public IP address.

Thats why you see abov set-up in your network.
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 500 total points
Comment Utility
The difference between putting a public IP on the NIC(and thus in the DMZ) vs doing the NAT translation is by putting on the NIC you are bypassing NAT - this is sometimes required depending on what the server/machine that has the public IP is running - i.e. some technologies don't like NAT(VOIP for example) and thus they operate better in the DMZ

So if there's a requirement to bypass NAT this is why its usually done like this(or one of the reasons)
0
 

Author Comment

by:shaunwoy
Comment Utility
That's a nice explanation. Thanks.  
Are you saying then it would be best practice to NAT unless there is a specific requirement?  Does a server in the DMZ would always have one of their NICs with a public IP or are they NATed out of the DMZ as well as an extra layer if a technology doesn't require a public IP. For example a webserver?
0
 
LVL 24

Expert Comment

by:smckeown777
Comment Utility
Thanks for the points, to answer you last bit(sorry for the delay), the DMZ is normally a seperate 'zone' on your firewall/router...so in effect its like another LAN behind your router

That is you have you LAN which is the client machines and server
You have a DMZ which holds web servers(or public facing servers, i.e. need to be accessed by the outside public)
You have the WAN which is your router/firewall public IP

So in a lot of the business class routers/firewalls there can be additional 'security' features that you need to enable where servers in the DMZ are limited in what they can see on the LAN side etc...you've probably seen a few posts on the web about DMZ but here's a simple enough explanation that may assist...

http://community.spiceworks.com/topic/139801-dmz-vs-nat
0
 

Author Comment

by:shaunwoy
Comment Utility
Thanks for that smckeown777, that is really cool.  The link did help too.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now