It’s common for enterprises to place public accessible servers into DMZ(s) and to obtain from the ISP for these DMZ servers a couple of public IP addresses.
In many cases all these public IP addresses will be assigned to the firewall’s WAN interface, the DMZ will have private IP addresses and NAT(destination NAT) rules will be used to make accessible from the Internet these servers.
While this approach is helpful when you want to use the same public IP address to publish different services located on different servers, there are a couple of drawbacks to it:
Applications or protocols intolerant to NAT.
Administration overhead to create all the needed NAT mappings when one-to-one NAT(1:1 NAT) rules will be used.
One-to-one NAT(1:1 NAT) is a type of NAT that maps one external address to one internal address.
A DMZ that uses public IP addresses may be desired.
One way to accomplish this is to subnet the range of IP addresses assigned by the ISP or to obtain a subnet just for the DMZ. A simpler way will be to create a DMZ using Layer 2 bridging. The firewall will act as a Layer 2 bridge between the WAN and the DMZ providing the following benefits:
Full transparency for the operation mode of the firewall which will still provide regular security services(Stateful Packet Inspection, IPS, etc.).
No re-addressing needed; the internal network will be hidden behind the firewall and no private subnet for the DMZ will be used.
No need for NAT rules, the current available public IP addresses can be directly assigned to the servers on the DMZ.
Applications and protocols intolerant or sensitive to NAT operations will function appropriately.
See How It's Done
Did you find this video helpful? Please give it a Google