Showing results for 
Search instead for 
Did you mean: 

NAT or NO-NAT - That is the Question...


NAT or NO-NAT - That is the Question...

Hi All,
Just set up my first ADSL connection (previously used a lease line) and have set the modem (Netgear DM602 - but works just like the Solwise110!) to use NAT and thus form (I believe) a "DMZ" before entering our network through an ISA firewall.

I've set up the NAT and port forwarding rules for our DNS server (in the DMZ) and web and smtp (behind the ISA firewall) and all appears to work.

However is this the best way to do it or should I be using a NO-NAT setup (and effectievly run as we did with the lease linewith no DMZ ?

I should point out that I'm not using any DMZ "option" on the modem.

Any comments greatfully received.

NAT or NO-NAT - That is the Question...

If you use no Nat then your ip becomes live on the net and open to atack. Using nat means any attacks will be at the router and not your server.

Unless you have any incoming traffic like a web server then there is no need for you to use a dmz zone. A dmz zone forwards everything to the one pc which is realy the same as having no Nat and as such you are open to attack more.

Use the NAt and only forward ports you need to and leave the other ports closed.

You only need to open ports that are started from outside like a webserver, if the port is opened from inside the router will let replies through anyway
Rising Star
Posts: 269
Thanks: 33
Fixes: 1
Registered: 10-08-2007

NAT or NO-NAT - That is the Question...

I think you need a 'policy' decision here.

The ISA server is a far more sophisticated firewall/router/cache than the DM602. If it is conrrectly configured it can do everything your DM602 can and more (including NAT), hence the question is do you need two firewalls? If not then put the DM602 in route only mode and implement your security policy at the ISA server. You need a minimum of 2 public IPs to do this.

Not sure what you have done with the DNS. Do you need outside access to your DNS server? Normally I would put the internal DNS server behind the firewall, set up forwarders to the public DNS and deny port 53 to everything else. Any public IPs (like your web and mail server) are hosted by your ISP and point to your ISA server which forwards to the correct internal IP.

If you do put the DM602 into route only mode be careful about what else is running on the ISA server. You want to make sure that only services you need are listening on the external interface.