Generic IP Addressing Question

Discussion in 'Cisco' started by evergladesfl@gmail.com, Jan 3, 2007.

  1. Guest

    My experience has been that organizations with a public IP range
    (typically a /29 subnet) usually set up Internet connectivity this way:

    Router External Interface: Public IP
    Router Internal Interface: Public IP
    Firewall "External" Interface (connected to Router Internal Interface):
    Public IP
    Firewall Internal Interface: Private IP

    My question is, why? Why waste three public IP addresses doing this,
    rather than having a single public on the router's external interface,
    and using private addresses from there? Is it because it's easier to
    set up NAT on the firewall?

    Thanks for any guidance.
    , Jan 3, 2007
    #1
    1. Advertising

  2. Marc Elsen Guest


    > My experience has been that organizations with a public IP range
    > (typically a /29 subnet) usually set up Internet connectivity this way:
    >
    > Router External Interface: Public IP
    > Router Internal Interface: Public IP
    > Firewall "External" Interface (connected to Router Internal Interface):
    > Public IP
    > Firewall Internal Interface: Private IP
    >
    > My question is, why? Why waste three public IP addresses doing this,
    > rather than having a single public on the router's external interface,
    > and using private addresses from there? Is it because it's easier to
    > set up NAT on the firewall?
    >


    Many perimeter setups are full of historical artifacts.
    Well artifacts,depends on how you look at it :

    in our case and for many others probably, when we got
    to the Internet NAT was not yet a common technology.

    Hence setups like this, which you will find at many places so to speak.

    M.
    Marc Elsen, Jan 3, 2007
    #2
    1. Advertising

  3. In article <>,
    <> wrote:
    >My experience has been that organizations with a public IP range
    >(typically a /29 subnet) usually set up Internet connectivity this way:


    >Router External Interface: Public IP
    >Router Internal Interface: Public IP
    >Firewall "External" Interface (connected to Router Internal Interface):
    >Public IP
    >Firewall Internal Interface: Private IP


    >My question is, why? Why waste three public IP addresses doing this,
    >rather than having a single public on the router's external interface,
    >and using private addresses from there? Is it because it's easier to
    >set up NAT on the firewall?


    One reason: if the firewall is acting as a VPN termination point,
    then having NAT before the firewall can interfere with the VPN.
    isakmp nat traversal (NAT-T) is relatively new and has throughput
    implications.
    Walter Roberson, Jan 3, 2007
    #3
  4. In article <CnVmh.556784$R63.446870@pd7urf1no>,
    (Walter Roberson) wrote:

    > In article <>,
    > <> wrote:
    > >My experience has been that organizations with a public IP range
    > >(typically a /29 subnet) usually set up Internet connectivity this way:

    >
    > >Router External Interface: Public IP
    > >Router Internal Interface: Public IP
    > >Firewall "External" Interface (connected to Router Internal Interface):
    > >Public IP
    > >Firewall Internal Interface: Private IP

    >
    > >My question is, why? Why waste three public IP addresses doing this,
    > >rather than having a single public on the router's external interface,
    > >and using private addresses from there? Is it because it's easier to
    > >set up NAT on the firewall?

    >
    > One reason: if the firewall is acting as a VPN termination point,
    > then having NAT before the firewall can interfere with the VPN.
    > isakmp nat traversal (NAT-T) is relatively new and has throughput
    > implications.


    Here are some other issues:

    1) If there are servers behind the firewall, the firewall often needs to
    redirect different public addresses to each server. You may be able to
    get away with a single IP and port redirection if each server is on a
    different port, but if you have multiple servers of the same type (e.g.
    multiple web servers) then it's easiest to redirect separate IPs.

    2) Sometimes you need to have machines on the segment outside the
    firewall. There may be some protocols that are hard to pass through a
    NAT. You may need to do some network troubleshooting on a machine
    outside the firewall. You might want to test a new firewall, and need
    to access it with a public IP.

    --
    Barry Margolin,
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***
    Barry Margolin, Jan 4, 2007
    #4
  5. chris Guest

    <> wrote in message
    news:...
    > My experience has been that organizations with a public IP range
    > (typically a /29 subnet) usually set up Internet connectivity this way:
    >
    > Router External Interface: Public IP
    > Router Internal Interface: Public IP
    > Firewall "External" Interface (connected to Router Internal Interface):
    > Public IP
    > Firewall Internal Interface: Private IP
    >
    > My question is, why? Why waste three public IP addresses doing this,
    > rather than having a single public on the router's external interface,
    > and using private addresses from there? Is it because it's easier to
    > set up NAT on the firewall?
    >
    > Thanks for any guidance.
    >


    Some ISP's now use RFC1918 addresses on the outside of the router facing
    their own core network. As these /30 links don't need to be routable outside
    the ISP's network there is no need to use public address space.
    chris, Jan 4, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ken
    Replies:
    0
    Views:
    405
  2. totojepast

    Addressing the recent Cisco IOS bug

    totojepast, Jul 22, 2003, in forum: Cisco
    Replies:
    10
    Views:
    1,080
    totojepast
    Jul 25, 2003
  3. Bill F

    call manager re-addressing

    Bill F, May 17, 2004, in forum: Cisco
    Replies:
    1
    Views:
    474
    Rik Bain
    May 17, 2004
  4. Rob

    MEMORY ADDRESSING QUESTION

    Rob, May 27, 2004, in forum: Computer Information
    Replies:
    2
    Views:
    462
  5. Replies:
    3
    Views:
    330
    Barry Margolin
    Nov 15, 2006
Loading...

Share This Page