https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47955#M35251 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You can do both, since these are externally accessible servers you can install them in a separate zone from your LAN and do static 1:1 NAT for public access to these servers. Then configure a policy to allow outside access to the webservers on DMZ (if needed restrict the services allowed for more security). Document suggested above is a good reference.<SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">When you mention each server has an internal sql database, do they have to access internal production database on your LAN? However, you should be able to configure security policies accordingly for the servers to talk between zones.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Hope that helps!</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks,</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Aditi<BR /></SPAN></P></BODY></HTML> Thu, 05 Sep 2013 14:59:43 GMT apasupulati 2013-09-05T14:59:43Z https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47952#M35248 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>I'm looking for some insight on the best security design for several externally accessible web applications. We have several public IP addresses available and can simply do a 1:1 NAT for each web server, put it in a DMZ, or both. Each web server has an internal SQL database to complicate things. From a best security perspective i'm not sure if a 1:1 NAT will work fine or if i should use a DMZ. I would still like to allocate 1 public IP address per web server.</P><P></P><P>thx</P></BODY></HTML> Thu, 05 Sep 2013 05:39:16 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47952#M35248 mdfaulkner 2013-09-05T05:39:16Z https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47953#M35249 <HTML><HEAD></HEAD><BODY><P>You can have your servers in the DMZ zone and then do a 1:1 dnat for your servers. Something similar to the example given in page 15 of this doc <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1517">https://live.paloaltonetworks.com/docs/DOC-1517</A></P></BODY></HTML> Thu, 05 Sep 2013 06:34:57 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47953#M35249 sraghunandan 2013-09-05T06:34:57Z https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47954#M35250 <HTML><HEAD></HEAD><BODY><P>I,</P><P></P><P>In my mind, the best security thing should be</P><P>&nbsp;&nbsp;&nbsp;&nbsp; - Using DMZ</P><P>&nbsp;&nbsp;&nbsp;&nbsp; - Using reverse Proxy in DMZ</P><P>&nbsp;&nbsp;&nbsp;&nbsp; - Install your server in an other zone</P><P></P><P>Concerning NAT, 1:1 nat is ok</P><P></P><P>Then allow access from outside to your DMZ. then open access from dmz to your web server.</P><P></P><P>V.</P></BODY></HTML> Thu, 05 Sep 2013 09:09:34 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47954#M35250 VinceM 2013-09-05T09:09:34Z https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47955#M35251 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You can do both, since these are externally accessible servers you can install them in a separate zone from your LAN and do static 1:1 NAT for public access to these servers. Then configure a policy to allow outside access to the webservers on DMZ (if needed restrict the services allowed for more security). Document suggested above is a good reference.<SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">When you mention each server has an internal sql database, do they have to access internal production database on your LAN? However, you should be able to configure security policies accordingly for the servers to talk between zones.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Hope that helps!</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thanks,</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Aditi<BR /></SPAN></P></BODY></HTML> Thu, 05 Sep 2013 14:59:43 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47955#M35251 apasupulati 2013-09-05T14:59:43Z https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47956#M35252 <HTML><HEAD></HEAD><BODY><P>basically, they are 3rd party applications with web interfaces. Currently, everything is on the LAN (web server and SQL server) but i'm implementing a new PA-3020 and may utilize a DMZ for the web server and keep the sql box on the LAN, and like you say, just have the DMZ zone and trust zone communicate. Thanks for the reply, i'm going to have a look at that document now.</P></BODY></HTML> Thu, 05 Sep 2013 16:33:54 GMT https://live.paloaltonetworks.com/t5/general-topics/dmz-or-nat-for-web-server/m-p/47956#M35252 mdfaulkner 2013-09-05T16:33:54Z