Question, please comment

[gejlug]

Brianna has three servers located in a DMZ, using public IP addresses that need to be accessed by her internal networks. Brianna's internal network use class B IP addresses, per RFC 1918. Internal networks access the Internet, using Dynamic NAT behind the external IP address of her Security Gateway. What is the best way to configure access for the DMZ servers?
A. Configure Manual NAT rules to translate the internal networks, when connecting to the DMZ servers.
B. Configure Dynamic NAT for the DMZ interface of the Security Gateway.
C. Configure Static NAT rules for the DMZ servers.
D. Configure Manual NAT rules to translate the DMZ servers, when connecting to the internet.

Testking answer is B, but I think it should be A, because the question is how to access the DMZ servers from internal networks, and B answer with Dynamic (Hide) NAT is only meant for outgoing traffic. What do you think ?

thanks

[prasad]

Hi,

Your answer seems to be correct.

We can configure PAT on the DMZ servers to access from the Internal networks.

Answer:-

Configure Manual NAT rules to translate the internal networks, when connecting to the DMZ servers.

Bhaskar Prasad

[gejlug]

Thanks Prasad, I think my answer is correct, if not I won't pass the test last week :)

[usmanshaikh]

A is correct as you do not need NAT b/w internal network and DMZ, so you need to add manual rules that do not perform any translation for this traffic..All you need is correct routing and this should work..But remember to add the manual rule before the automatic rule for Hide NAT

Original packet Translated Packet
Src Dst Serv Src Dst Serv
internal_net DMZ Any Original Original Original

[usmanshaikh]

CP Student Handbook pg 291

Quote:

In scenarios where multiple internal networks route traffic through a security Gateway, the load on the Security GW can be reduced. Add manual rules to.......Specify Original > Original > Original in the translated packet fields

Usman