Greeting all, I just got a strange setup on a client site. It is a standard network setup, from Internet-> router->firewall->DMZ The firewall is doing NAT for the servers at DMZ. The strange part is they always do a IP alias at the firewall external interface when creating a NAT rule (either preroute or post-route). If I remove the ip alias, then the connection will never work. My question is, is this the right setup? To my understanding, it should be just doing NAT with pre-route or post-route, and then creating the policy using FORWARD chain. Using IP alias never seems make sence to me here (what if there is 1000 servers in DMZ). Anyone have any idea here? - Jet Security Analyst
