At 01:46 PM 7/10/2003, you wrote:
You use RRAS packet filters and IPSec Policies to create a LAT-based DMZ. But remember, its NOT a real DMZ if you put private assets into it. Its like me putting my ex-mother in law in the Korean DMZ. Hmmm. well, that's not the best analogy, but you know what I mean. A DMZ is design as an entirely separate and distinct security zone that if compromise has no effect on your protected assets. Extending the private network's security zone into the DMZ entirely breaks the underpinnings of the DMZ concept. At that point all you have is a "screened subnet", not a DMZ.
Don't you WANT to put your ex-mother-in-law in the Korean DMZ? :-p