I have question about creating DMZ. I have public interface with address 213.x.y.z and I want to make DMZ on (for example) 172.16.30.1. I’ve created 1:1 NAT (srcnat/dstnat netmap) and it works but is it a good practice?
Also I’ve noticed when I traceroute this (public) address I got last address twice, I suggest it is because NAT translates private/public IP, but is this normal?
The true idea of a DMZ means you have a completely separate network, consumer routers often call a host on the normal inside network that gets all traffic forwarded to it a DMZ. The former is much more secure than the latter.
Traceroutes do not show two entries because of NAT. Each hop is, well, one hop. One hop is one layer 3 device.