Hi, I'm hoping you all can help me wrap my head around the use case for static NAT as opposed to combined source and destination NAT. The assumption here is that you have a server behind a firewall, with the public side being untrusted and the the private side being trusted. If this server needs to be accessed from the public side, a destination NAT would be used to forward the public IP to the private IP. Conversely, if the internal server needs to access the public internet, a source NAT would overwrite the source IP with *something*. This *something*, if configured to be the same public IP that is used for the destination NAT, would seem to be essentially a static NAT. However, there are other options that can be inserted for *something*. For example, you can insert the IP of the egress interface for all outbound traffic, or you can choose from a shared pool of public IPs. My question, then, is about in which use case you would want to use the static NAT (with outbound traffic for the server using the same source address as inbound traffic) over the combined source / destination NAT (with outbound traffic using a shared source IP)? It seems that topology hiding is the main purpose of the source NAT, and using the combined source / destination NAT seems more secure in that respect. Any and all thoughts are appreciated.
No comments:
Post a Comment