Isolate a DMZ from the LAN with NAT or ACL ?

Toggle sidebar Toggle sidebar
P

polm

Diamond Member
May 24, 2001
3,183
0
0
I have a DMZ subnet on one interface, and a LAN subnet on another.

I need to limit all traffic from the DMZ --> LAN to 'established' traffic only.

Would it be best to PAT an IP in the DMZ subnet for the LAN clients to use, and then throw some protective ACL's blocking DMZ --> LAN.

or...

Allow the LAN clients to route onto the DMZ subnet, and use ACL's, only, to limit the DMZ ---> LAN traffic?
 
P

polm

Diamond Member
May 24, 2001
3,183
0
0
Originally posted by: spidey07
sounds like you need a pix.

But I would do it with ACLs and use the established tag.
Click to expand...

I am using a PIX, and I did, indeed, decide to use ACL's only.

My config was questioned by a teammate, and I was trying to find some info about the NAT alternative.

It seemed to boil down to which process was more CPU demanding. I'm still not sure what the answer to that is.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
well if its a lower security interface it will block everything anyway. Adding NAT or ACLs would add processor.

but in reality if you are concerned with processor utilization on a pix then the pix isn't big enough.

-edit- the only time I've seen a pix peg out the processor was with a 50,000 line ACL or massive worm activity.
 
P

polm

Diamond Member
May 24, 2001
3,183
0
0
Originally posted by: spidey07
well if its a lower security interface it will block everything anyway. Adding NAT or ACLs would add processor.

but in reality if you are concerned with processor utilization on a pix then the pix isn't big enough.

-edit- the only time I've seen a pix peg out the processor was with a 50,000 line ACL or massive worm activity.
Click to expand...


not concerned about CPU, considering this is a really small setup. I just figured with multiple solutions, I should have some reasoning behind the choice I made.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
oh, then you will have to worry about processor if the load gets up. I hope this isn't routing LAN interfaces.
 
P

polm

Diamond Member
May 24, 2001
3,183
0
0
Originally posted by: spidey07
oh, then you will have to worry about processor if the load gets up. I hope this isn't routing LAN interfaces.
Click to expand...

Single router supporting 1 LAN, 1 DMZ, and 1 WAN interface,
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: polm
Originally posted by: spidey07
oh, then you will have to worry about processor if the load gets up. I hope this isn't routing LAN interfaces.
Click to expand...

Single router supporting 1 LAN, 1 DMZ, and 1 WAN interface,
Click to expand...

keep an eye on the processor. My guess is anything over 4-5 Mbs of traffic will bring it to its knees.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom