Christopher,
Most ISPs grant you one IP address with a 30-bit mask for your
Internet router's WAN interface. Then you'll have a separate but
contiguous block of additional IP addresses, with the first available
IP usually assigned by your ISP to the Internet router's Ethernet
interface. The next available IP from said block usually goes to your
firewall's external interface.
You can NAT at the router and make your firewall's external IP
private, freeing up an IP. But then consider VPN connections and how
you will have to get "jiggy" with the router's config to pass the
encrypted traffic to the firewall. Consider also having another
remote CP firewall that your mgmt server manages. Establishing and
troublshooting SIC can become more complex in that scenario.
Natting at the firewall, particularly a CP firewall, makes sense;
because the NAT rulebase is still part of a single policy package, and
the NAT policy is centrally manageable. You can NAT where ever you
choose, but are you willing to give up centralized NAT management just
to save one global IP? Also, natting at the firewall means that NAT
takes place at the same point where policy enforcement takes place.
It just all gets along.
-fwguru
On 4/15/05, Chris McGill <Chris.McGill AT phoenix.co DOT uk> wrote:
> Hi,
>
> My understanding is that an ISP provides you with a primary IP and an
> additional block if requested subnetted differently to the primary block, but
> makes the necessary adjusts on their equipement to forward all traffic for
> the block to your primary IP. This also you to NAT at the edge router, or
> use two of the public IPs for the router' internal interface and the
> firewall's external interface and NAT at the firewall, but this wastes any
> IP. Is this correct, have I missed anything, and what are the benefits if
> any of NATting at the Firewall. Thanks
>
> Christopher McGill
> CCSA, CCNA, MCP
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any attachment
> and all copies and inform the sender. Thank you.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
