Newbie - dynamic NAT question
If I have two internal networks on separate interfaces; 192.168.1.x and 192.168.25.x on an XTM firebox, is there any functional difference or advantage between these two methods of entering the NAT?
192.168.0.0/16
and
192.168.1.0/24
192.168.25.0/24
0
Sign In to comment.
Comments
I don't believe so (and the first form is used for exceptions etc), but it is more secure to list only the networks that you are using..
Adrian from Australia
Absolutely there is a difference if you use those for the interface subnet on devices connected to an interface. /16 will not allow access from devices on 1 interface to devices on the other interface.
For an SNAT used for incoming access, either should work, but it is always better to use the correct subnet mask, which in your case is /24. Less confusion in the future, and in rare cases there have been issues in various earlier F.ireware versions related to odd/unexpected subnet mask
For SNAT used for loopback, then /16 may not work for access to the other interface devices - never tried this.