|
Posted by on March 22, 2007, 5:21 am
If you were Registered and logged in, you could reply and use other advanced thread options > wellingtonexternalt...@hotmail.co.uk wrote:
>
> Hello,
>
> >> What your ISP wants in complete nonsense. Their router simply should do
> >> what a router is designed to do and that is routing. That means that they
> >> should do no NAT at all on their router but route a public network to
> >> you. From this public network they use one address on their router and
> >> with the rest you can do whatever you want. A Pix can well be considered
> >> a serious deviceb and it is designed to run with one or more public
> >> addresses on the external interface. No need for NAT on the ISP router,
> >> almost everywhere, where Pixes are used these boxes do the NAT, not the
> >> ISP router.
> > Some questions, this No Nat solution was briefly discussed but was
> > ruled out,or at least not encouraged from the isp side of things as
> > this would require a major change to both the new router they are
> > currently configuring and the firewall. They suggested this second
> > option i mentioned in the first post as the way to go as it would be
> > less changes. Do you agree with their assesment?
>
> I've been involved into the ISP business for more than a decade and I've
> seen more than ISP during that time. Your ISP is simply talking nonsense.
> It is the plain usual business of any ISP to route a public network to a
> customer. Period.
>
> > Forgetting the router changes that the isp would make, what firewall
> > changes would be required, as this is what i would have to do and my
> > skill set on firewall changes is not great, ie the less changes i need
> > to make the better as i dont want to make any mistakes and expose the
> > internal network..
>
> You find a lot of Pix configuration examples onwww.cisco.com. It is just
> normal to run a Pix (like any other serious firewalling device) with one or
> more public (= routable) addresses on the external interface(s).
>
> > If i was to go forward with this router nat through to the firewall
> > solution that the isp want to do, what would i need to do on the
> > firewall to present these ip addresses?
>
> You find a lot of Pix configuration examples onwww.cisco.com. But I really
> doubt that you want to run such a double NAT setup. Just consider that you
> want to use your Pix as an endpoint of one or more IPSeC VPN tunnel(s). You
> definitely want a public IP on the external interface of the Pix and no NAT
> from any ISP router for such a setup. The firewall (in your case that is
> the Pix) is the device on the perimeter of your network. It is designed to
> run there. If you fear to run it on the border to a hostile network, then
> something is definitely plain wrong with the device you have chosen as your
> firewall.
>
> > If i were to use your suggestion the only nat's would be on my
> > firewall where i would allow the relevant traffic through for smtp and
> > owa etc. That makes sense and i cant understand why the isp would
> > think this is a more complicated solution to go with.
>
> That is indeed the normal solution.
>
> > Whats the standard solution usually employed?
>
> see above.
>
> Wolfgang
Wolfgang again thanks for the reply.
Going forward then with the normal solution, apart from creating the
relevant nat, access lists etc for say smtp traffic is there any other
changes i need to make to the firewall to prepare it in advance for
accepting these public ip addresses? do i need set anything up in the
firewall config to tell it your now associated with this range of ip
addresses. or is that what the router is for?
im guessing that all i need to do is tell the isp that i want to
progress with this no nat solution instead., they will then deliver
this newly configured router, this router will be configured to
deliver the external public ip addresses to the outside interface of
firewall. i add nat for an external ip address with rules and access
lists for smtp traffic to the internal mail server.
seems simple enough.. am i missing anything obvious?
thanks
gbm
| 
XML site map