Until now we only had Astaros with some few rules.
Now i'm setting up our own Astaros which has around 100 active external IP's, where most of them are mapped to DMZ.
Now, my question is: How do you set up the NAT and firewall rules? In general there are two way to do it:
1.
I normally only configure the DNAT for what i use and activate "Automatic packet filter rule". So, for example:
DNAT [Whatever]
Traffic selector: Any => Service Group (HTTP/POP3/...) => External IP of Server
Destination translation: Server IP in DMZ
In addition to that i configure SNAT for outgoing traffic (That the server has the correct IP when it connects to the outside)
With this config i don't have to make packet filter rules myself at all.
2.
The other way would be to configure DNAT and SNAT for all ports (So that it is like a 1:1 NAT), and then only allow the ports needed within "Packet Filter".
Now i'm vary between solution 1 and 2. Can not decide whats better and easier to manage in future. So i would be interested how you normally do it in larger setups.
Thank you
Urs
This thread was automatically locked due to age.
