Public IP addresses in my LAN

Unanswered Question

I have a customer who uses Public IP addresses on their internal LAN.

They have a firewall in both sites and they open required ports using access lists. They also have also opened all traffic between their Public IP ranges at each site.

I think this is a security vulnerability and could cause things like IP spoofing attacks.

I would like to know what are the vulnerabilities while using Public addresses inside the LAN. Are there any guidelines from Cisco.

thanks in adv,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Fri, 01/04/2008 - 00:31

Hi Joe

Cisco, as do most other companies/experts etc., recommend that NAT should not be seen as a security practice but rather an IP address preservation issue.

The danger is with the inbound access given.

If you have a web server that you want internet users to be able to connect to it really doesn't make that much difference if you present it on a public IP and it has a private IP or whether it has a public IP. Key thing here would be that the web server is on a DMZ.

However with rpivate addressing on all your clients they are not open to connections from the internet unless they make an outbound connection first. But with public addressing you are far more reliant on the access given through the firewall. A rule that is slightly more open than intended could have unforseen consequences.

As for IP spoofing, well yes you could spoof the source addresses and this could be a concern. It is still relatively tricky to spoof a full blown TCP connection but obviously the idea of soomeone spoofing a UDP SNMP set message telling their core router to shut down is something you wouldn't want !

But all that said put simply you shouldn't rely on NAT for security ie. in the example used above for SNMP you should have a non-standard SNMP string and an access-list that limits which IP addresses can send commands to the router.




This Discussion