Question on "ISPs" seeing routes to "Internal" router, basic lab

Answered Question
Jul 15th, 2009
User Badges:

Hi, can you please see attached detailed lab diagram and question. Thanks much for your great help.


Question:

1) As is now, from "Backup" and "Primary" I can

see routes to "Internal" and ping "Internal" router.


In a real production environment, is this

behavior typical? I mean, typically people would prefer to avoid letting the service provider ping

"Internal" right? Or as long as I set a network for my internal clients and do not advertise that one to Edge and beyound, so then if ISP's have visibility to "Internal" router that should not be a problem?


If that is the case that Backup and Primary should be able to ping "Internal", is an access-list blocking traffic from Backup and Primary to "Internal" the way to go?



Correct Answer by chinkevi_2 about 7 years 11 months ago

this is rather open ended question.

but isp must see your ip, otherwise they can't route your ip.


typically, isp is a shared environment whose role is to pass your traffic and keep you ip within your own vpn. You will not see other customer's ip, and others will not see yours.


if you don't want isp to see your real ip, you could nat it, and the isp will route the global ip.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
chinkevi_2 Wed, 07/15/2009 - 21:55
User Badges:

this is rather open ended question.

but isp must see your ip, otherwise they can't route your ip.


typically, isp is a shared environment whose role is to pass your traffic and keep you ip within your own vpn. You will not see other customer's ip, and others will not see yours.


if you don't want isp to see your real ip, you could nat it, and the isp will route the global ip.

Giuseppe Larosa Wed, 07/15/2009 - 23:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Marlon,

Ting has provided a good answer: usually NAT plays a role here:

it is highly preferred to use private ip addresses as per RFC 1918 for the infrastructure devices.

ACLs are usually deployed at border routers for security reasons to avoid so called network reconaissance attacks that try to find out your IP subnets.


Hope to help

Giuseppe


Actions

This Discussion