Thanks Steve,
> - I've run into cases where interface nat doesn't create the desired
> effect
> for some strange reason, but when migrated to policy nat things magically
> start working
In the past I have created a sub-interface in route mode when I meant to
create it in NAT mode. Changing it to NAT mode afterwards has no effect,
i.e. it appears to be in NAT mode but all policies have to be created with
NAT on the policy.
Best regards,
-Mahesh
> -----Original Message-----
> From: Stephen Gill [mailto:gillsr@cymru.com]
> Sent: 16 November 2006 15:55
> To: mahesh@tiscali.co.uk; 'jofin joseph'; Netscreen Mailing List
> Subject: Re: [nn] Netscreen 50
>
> > Are you suggesting that if I had a Netscreen with a Trust and an Untrust
> > interface, with private addressing on the Trust side, that I should set
> both
> > interface modes to route? That would mean setting each and every
> outbound
> > policy to NAT.
>
> Absolutely. Route everywhere, use Policies for NAT. Generally the number
> of outbound policies is not that large, and even if it is it's not a
> difficult migration path.
>
> MIPs take care of themselves, so you shouldn't need any interfaces set to
> NAT mode.
>
> > Although I'm sure you have a valid reason why I don't see why you are so
> > against NAT mode on an interface.
>
> A few reasons..
>
> - introduces an added layer of complexity and goes against the natural
> conceptual understanding of how policies should work (ambiguity)
> - decreases flexibility by forcing all traffic to be NATted
> - decreases flexibility by not allowing you to specify how the traffic
> Should be natted outbound
> - combinining nat features (interface + policy) increases firewall
> overhead
> and complexity unecessarily
> - its an arcane construct that should have been removed some time ago from
> the OS. It is mostly left there for backwards compatibility IMO.
> - makes more difficult to troubleshoot
> - others I can't think of presently ;)
>
> Etc.
>
> All in all, it's not recommended and whenever I see it it's the first
> thing
> I turn off on a netscreen. I've never been disappointed ;)
>
> There might be some extreme corner cases where something like that would
> be
> necessary, but I've never had a real world example come up that couldn't
> be
> solved with the standard VIP/DIP/MIP + policy NAT.
>
> There are a few other things that should be migrated to policy based in
> the
> ScreenOS but those are purely cosmetic and work perfectly well the way
> they
> are today (eg: manage-ips, manage, ...)
>
> Cheers,
> -- steve
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn
|