Hi, can you please see attached detailed lab diagram and question. Thanks much for your great help.
1) As is now, from "Backup" and "Primary" I can
see routes to "Internal" and ping "Internal" router.
In a real production environment, is this
behavior typical? I mean, typically people would prefer to avoid letting the service provider ping
"Internal" right? Or as long as I set a network for my internal clients and do not advertise that one to Edge and beyound, so then if ISP's have visibility to "Internal" router that should not be a problem?
If that is the case that Backup and Primary should be able to ping "Internal", is an access-list blocking traffic from Backup and Primary to "Internal" the way to go?
this is rather open ended question.
but isp must see your ip, otherwise they can't route your ip.
typically, isp is a shared environment whose role is to pass your traffic and keep you ip within your own vpn. You will not see other customer's ip, and others will not see yours.
if you don't want isp to see your real ip, you could nat it, and the isp will route the global ip.