DMZ or portforward

Sstatic IP is the best path, but a simple NAT router doesn't offer a lot of protection against attachments and such.

The DMZ port on most routers (what some call firewalls) is going to pass ALL traffic directly to the server, so, unless you get a quality device like the DFL-700 which has a real DMZ network, you're going to expose your server to the world with all ports exposed.

The server will need HTTPS and SMTP exposed, unless you also allow POP3, but I don't suggest it. Do not expose HTTP, you can run your web mail on HTTPS.

In most of the cheap NAT Routers (sometimes called firewalls) the DMZ network and the LAN network are on the same subnet and they share the same address space - so if your DMZ network gets compromised then your LAN is also compromised. A cheap Firewall (a real one) would not have that flaw.

Thanks for the info, the units I am looking at are level1 fbr-2000 which is a real spi firewall with hardware dmz port, I know some cheap routers with built in switches can have a port set as a software dmz but they don't interest me. he issue for me is having the server and desktops on different subnets but this has raised one more issue, if I can get a firewall with 1x wan port and 2x(separate) lan ports can I nat two different subnets into one public ip?

Flamer.

I'm thinking now of maybe getting a cisco 1700 with 3 10/100's and running firewall/ids ios on it.. upgrading the dram will be the expensive part.

Flamer.

You can nat as many subnets as you like to one public ip.

I'm not personally familiar with the devices you are considering, but I can relate how I handle this situation. I trunk a router to a switch and create role-based vlans. I apply ACLs to the router vlan interfaces. This places the rules as close to the hosts as possible and makes it easy to restrict traffic between vlans. I use a cisco 1721/2950 combo with adsl.

I have a Firebox II in my shop, it has 16IP on the public WAN (External), 7 subnets on the LAN (Trusted) and 3 subnets on the DMZ (Optional).

I have this unit setup to forward SMTP to a specific IP in the LAN, HTTP to a specific IP in the DMZ, and HTTPS to specific IP in the LAN, as well as many other rules/mappings.

A CISCO is a waste of money, doesn't have proxy services and is just plain a PITA.

If you have a FB-II then you have a very OLD firebox and it's no longer supported by anyone. A simple Firebox X550e would do all that you want and more and also provide great protection for SMTP and HTTP as well as remote access to the network.

Ok well I found out that 1700's only support 2 ethernet interfaces and the WIC's are 10mbps only so I have bought the level1 spi firewall. I would like a firebox appliance but they are probably too high end for what I need plus there are no local resellers where I am. The firewall I bought has a dmz port so I will put access lists blocking everything other than web and mail outbound.. there may be a software hack to turn the dmz port into a protected 2nd lan interface if not it will still do the trick.

Flamer.