I've seen the interesting issues as well. But in 90+% of the networks I
deal with, I don't find those issues. It's only when myself and the
admin I'm working with has 20 services in the DMZ that needs to be
provided publicly, but their ISP has only given them a /29 subnet to use
that my head starts to hurt.

My overall point was, if you have the $ for IP addresses or already have
them, it's discretionary...it's up to you to use NAT or not. If you
don't have the IP addresses to spare, then sometimes you have to get
creative. I guess I didn't see the issue as more/less work, or
routing/not routing if you knew what you were doing...it just becomes
preference of implementation at that point.

> however, for a DMZ (the question that was asked) you are typicaly
> providing service to the Internet, and for that you run into a bunch of
> very interesting issues if you try to use NAT to reduce the number of IP
> addresses you use.
> David Lang

firewall-wizards mailing list