I asked a similar question a while ago, but foolishly referenced inside-to-inside NAT. Not being a network admin my terminology on the networking side of things was limited and lead to answers that answered my question, but not the spirit of my question.
Imagine a situation which is common for most small/medium businesses that host their own servers:
You have a single firewall with multiple interfaces. They are LAN, WAN, and DMZ.
Your web/mail servers have RFC1918 addresses that are 1:1 NAT'd from the DMZ interface to public IPs.
Devices on the LAN interface regularly communicate with devices on the DMZ interface.
You have an Active Directory domain named
corp.example.comyour web servers are in the externalexample.comzone.
In a lot of deployments, it is common to see the internal DNS servers (AD Domain Controllers) hosting an internal copy of the example.com zone with the RFC1918 addresses. Why don't more organizations configure NAT U-turns/hairpins so that you don't need a second copy of this zone with different information? Why don't organizations simply have internal DNS for corp.example.com and external DNS for example.com and call it a day?
Yes, in large businesses you would ideally have separate DMZ firewalls and even separate DMZ internet connections. This isn't the case in any SMB that I know.
Yes, the ASA has some crappy licensing regarding this. I don't care about licensing constraints, it's just money. I know they can be configured to allow this with same-security-traffic.
I worked in a Juniper shop for years where this worked fine without any crazy configurations, how is it that Cisco admins seem to have so many problems with this? Is it really much easier to accomplish on Juniper kit? It is a limitation of IOS that makes Cisco network admins not interested in configuring it?
No comments:
Post a Comment