> With your situation you want two IPs for the gateway, one from LAN
> subnet and the other the DMZ subnet. Having them both from the same
> network means that routing won't work as normal so you effectively have
> to turn the router into a bridge which means the separation isn't
> Your correct in your thinking that the NAT process won't be involved
> from LAN to DMZ
internal LAN and I send out a packet designated for a machine on the
internet. First the packet is routed thru the gateway/*firewall. As the
packet passes across the DMZ, its source address is unchanged. Only when it
hits the second gateway/router is NAT performed, so that the packet now has
the gateway/router's external IP address (assigned from the ISP in this
case). In this case, NAT is performed only once on the external router, and,
as you say, the NAT process won't be involved from LAN to DMZ.
According to the author, however, "the LAN would be NATed and would not be
assigned routable addresses." This means, NAT would be performed twice. Is
there some advantage, from a security perspective, in performing NAT twice,
rather than routing the address thru the first *firewall (between LAN
and DMZ subnets) and NATing only on the external gateway/firewall?
Furthermore, if the LAN is NATed, does this mean I only need one network
for the LAN and DMZ, or can I still subnet the two?