On 21 Oct 1996, Ryan Russell/SYBASE wrote:
> PIX is (uses) NAT.
> The main downside is that any machines using a
> shared outside registered address can't really function
> as a server of any kind. You still have to have an IP
> address the rest of the world can use per server
> that you want to be distinct. Cisco has a product (different from PIX)
> that may do something like this port at this address goes to
> this machine, and this port at the same address goes to that
> different machine.
Put your external servers on a bastion segment, using assigned addresses.
Use NAT and RFC1918 addressing scheme for your inside network. Won't be a
fit for everyone, of course.
> Keep in mind that there are a number of apps that
> want your machine on the inside to function as a
> server. Examples include IRC DCC Send, several
> Internet Phone programs, etc..
IRC through the firewall to an internal machine? Not.
Just my $.02 - YMMV