Re: [nn] Netscreen 50

To:	<mahesh@tiscali.co.uk>, "'jofin joseph'" <jofin_joseph@rediffmail.com>, Netscreen Mailing List <nn@qorbit.net>
Subject:	Re: [nn] Netscreen 50
From:	Stephen Gill <gillsr@cymru.com>
Date:	Thu, 16 Nov 2006 08:55:17 -0700
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ns-list2@consult.net
Delivered-to:	nn@qorbit.net
In-reply-to:	<54l67g$7dk26i@mk-ironport-3.mail.uk.tiscali.com>
List-archive:	<http://www.qorbit.net/nn>
List-help:	<mailto:nn-request@qorbit.net?subject=help>
List-id:	"Netscreen mailing list for netscreen admins." <nn.qorbit.net>
List-post:	<mailto:nn@qorbit.net>
List-subscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=subscribe>
List-unsubscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=unsubscribe>
Sender:	nn-bounces@qorbit.net
Thread-index:	AccJVGr56G/sQR1ATUCgZ8E6rqFMVgAHWB3AAAIKs0cAA1WR4AAEE/Ls
Thread-topic:	[nn] Netscreen 50
User-agent:	Microsoft-Entourage/11.2.5.060620

> Are you suggesting that if I had a Netscreen with a Trust and an Untrust
> interface, with private addressing on the Trust side, that I should set both
> interface modes to route?  That would mean setting each and every outbound
> policy to NAT.

Absolutely.  Route everywhere, use Policies for NAT.  Generally the number
of outbound policies is not that large, and even if it is it's not a
difficult migration path.

MIPs take care of themselves, so you shouldn't need any interfaces set to
NAT mode.

> Although I'm sure you have a valid reason why I don't see why you are so
> against NAT mode on an interface.
 
A few reasons..

- introduces an added layer of complexity and goes against the natural
conceptual understanding of how policies should work (ambiguity)
- decreases flexibility by forcing all traffic to be NATted
- decreases flexibility by not allowing you to specify how the traffic
Should be natted outbound
- combinining nat features (interface + policy) increases firewall overhead
and complexity unecessarily
- its an arcane construct that should have been removed some time ago from
the OS.  It is mostly left there for backwards compatibility IMO.
- makes more difficult to troubleshoot
- I've run into cases where interface nat doesn't create the desired effect
for some strange reason, but when migrated to policy nat things magically
start working
- others I can't think of presently ;)

Etc.

All in all, it's not recommended and whenever I see it it's the first thing
I turn off on a netscreen.  I've never been disappointed ;)

There might be some extreme corner cases where something like that would be
necessary, but I've never had a real world example come up that couldn't be
solved with the standard VIP/DIP/MIP + policy NAT.

There are a few other things that should be migrated to policy based in the
ScreenOS but those are purely cosmetic and work perfectly well the way they
are today (eg: manage-ips, manage, ...)

Cheers,
-- steve


_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

<Prev in Thread]	Current Thread	[Next in Thread>
[nn] Netscreen 50, jofin joseph Re: [nn] Netscreen 50, Mahesh Re: [nn] Netscreen 50, Stephen Gill Re: [nn] Netscreen 50, Mahesh Re: [nn] Netscreen 50, Stephen Gill <= Re: [nn] Netscreen 50, Mahesh

Previous by Date:	Re: [nn] Netscreen 50, Mahesh
Next by Date:	[nn] Using policies with DNS wildcards, Michael Tiede
Previous by Thread:	Re: [nn] Netscreen 50, Mahesh
Next by Thread:	Re: [nn] Netscreen 50, Mahesh
Indexes:	[Date] [Thread] [Top] [All Lists]