I have a pix firewall which I was planning to place between our msfc and our isp link. Since the connection to the isp is 100Mbps I didn't see the need to use another (border) router for media conversion.
We plan to run ebgp through the pix and have tested this with ebgp-multihop and static routes to bring up bgp and this works ok.
However, our isp tells me that this is not the norm and I was wondering if there are any potential problems with this setup.
What type of termination is available on the pix outside interface towards your ISP ? Are you using cable, dsl ??? It would be a better idea to have a router on the outside interface, in many ways, First of all you can have IOS firewalling configured on the border router. Also adding more links for increasing bandwidth, multihoming, etc would be easy.
If so, your ISP's router should already by adversting its directly connected network therefore, Is it possible you can NAT/PAT all inside networks to the existing address 'you hold' and just put the firewall in line with your connection to the ISP? (You would be making the global NAT/PAT address the address the ISP has given you)
If you have services running on networks that you otherwise need advertisded to the NET you can port forward to them provided you are running version 6.2.2 +.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...